authorization GANYMEDE +.

I can't control aaa authorization using win2k Ganymede +. I have the following commands on my router:

AAA new-model

AAA server Ganymede group + ciscosecure

AAA authorization config-commands

AAA authorization exec ciscosecure Ganymede group.

AAA authorization network group Ganymede ciscosecure +.

If the authentication that's good, I can even time of day login control. only permission issues, I need to define groups for users to belong

Thank you

Francis

Hello Francois,.

You must add the following line/lines for authorization on the router-

AAA authorization commands default Ganymede group 0 +.

AAA authorization commands by default 1 group Ganymede +.

AAA authorization commands by default 15 group Ganymede +.

Thank you

Renault

Tags: Cisco Security

Similar Questions

  • Specific shell - ACS command authorization / GANYMEDE + on 2900XL

    Hello all-

    I was struggling with a particular issue here. I am running ACS 3.2 and tries to implement secure access to my switch. I have 'students' of my University I want to leave running specific functions, i.e. change the vlan port and write in memory, etc.

    I created with success the piece of the authorization, and my test account can connect. I have successfully assigned a privilege level of 7 also, that gives me a look of default base rights. Accountants strives also, indicating connections and commands me to come home.

    I want to do is use ACS to allow a particular group of controls, so I can change if needed in one place (ACS) and I not touch + 400 devices. ACS says can be done, but it doesn't seem to work. I created a Shell command group and specified commands, no luck. Even if I change the 'unmatched orders' rocking 'allow' (which should allow all orders, right?) it does not yet allow all orders. I added the Shell command group for the group, of which students are members...

    My AAA commands are as follows:

    AAA new-model

    AAA of default login authentication group local Ganymede +.

    Group AAA authorization exec default local Ganymede +.

    AAA authorization commands by default 7 Group Ganymede +.

    AAA accounting exec default start-stop Ganymede group.

    orders accounting AAA 7 by default start-stop Ganymede group.

    orders accounting AAA 15 by default start-stop Ganymede group.

    AAA accounting system default start-stop Ganymede group.

    Any ideas? Any thoughts?

    Thank you!

    Michael

    QU.edu

    Michael,

    You perform permission to order order that exist with a privilege level of 7. By default, the configuration commands have a privilege to 15. There are two ways you can go about solving this problem. The first would be to authorization of installation for level 15 command. The second would be to change the privilege level of the commands that you want your students to be able to run level 15 at level 7. This can be done with the command of privilege. Here is a link that shows the use of the technology locally within the unit. http://www.Cisco.com/warp/public/480/Priv.html

    I don't know if the ACS can push the configuration of the device on a per user basis, so the first option may be your best bet. Be sure to allow access to all controls for yourself.

    Steve

  • Authorization GANYMEDE - show arp

    I'm not a network administrator, but I get a number of devices that have the ability to manipulate traffic. There are times when these devices fail and will have to update the tables of arp cache and cam on our Cisco equipment. Due to this point of contact, I need the ability to verify the accuracy of these tables.

    Our team of Cisco uses GANYMEDE to manage access to our networking equipment. I had the ability to simply run the "show arp" and 'cam show' commands on a handful of devices, but have been informed that this is not possible because "show arp" is a privileged EXEC command.

    Unfortunately, I'm not in a position to be able to confirm or deny this, since I'm not familiar with Cisco or GANYMEDE device management. I was hoping someone in this forum could:

    (a) confirm that it is possible to allow individual orders without allowing all others

    (b) give some details on what to do in GANYMEDE to facilitate.

    All I need is to run these two commands - I don't need anything else. I suspect that our management team of GANYMEDE do simply not know how or do not want to implement this authorization. Your help to push would be appreciated.

    Thank you.

    "All I need is to run these two commands - I don't need anything else." I suspect that our management team of GANYMEDE do simply not know how or do not want to implement this authorization. Your help to push would be appreciated. »

    It's a very simple installation. Everything they need

    is the authorization of installation as follows:

    user = {test}

    Member = limited

    Login = the xxxxxxx

    name = "Scott Paul"

    }

    Group = {limited

    by default the service = deny

    cmd = {see the}

    allowed "arp. * »

    allowed "cam. * »

    deny. *

    }

    }

    With that, your account Ganymede may only

    run "show arp * ' and ' cam show."

    commands and nothing else.

    Easy right?

  • Failure of the authorization GANYMEDE + ASR1001

    Hello

    I use the below command structure identical to all other routers. However, when I try to type commands that it says "Authorization failed". The only difference between this routers and our other is a Cisco ASR1001. Is there as a special system requirements for this router that I'm missing?

    AAA authentication login default group GANYMEDE-local SERVERS

    AAA authorization exec default group GANYMEDE-local SERVERS

    AAA authorization commands 1 room of GANYMEDE-SERVERS in default group

    AAA authorization commands by default 15 GANYMEDE-SERVERS local group

    AAA accounting exec by default start-stop group GANYMEDE-SERVERS

    orders accounting AAA 1 group of market-judgment by default GANYMEDE-SERVERS

    AAA accounting group orders of 15 by default arrhythmic GANYMEDE-SERVERS

    AAA accounting connect by default start-stop group GANYMEDE-SERVERS

    AAA system by default start-stop accounting GANYMEDE-SERVERS group

    When you log in the router you authenticate with your GANYMEDE credentials or with the local credentials? I'm guessing it's the local credentials and that the router is not authenticate or authorize with the RADIUS server. If that is correct, you should investigate and find the cause of the failure to use GANYMEDE.

    I also suggest a change that may be useful. Change this line to

    AAA authorization commands by default 15 GANYMEDE-SERVERS local group

    TO

    default group 15 AAA authorization commands GANYMEDE-SERVER authenticated if

    HTH

    Rick

  • Authentication/authorization GANYMEDE + based on the subnet of the user

    Hi guys/girls

    We have number of speeds of production, which are configured with Ganymede cisco + and all their work very well. But now I have an obligation to implement SSH-ver2 across the network, consist of about 8000 cisco gear.

    I need to develop a proof of concept (POC), that activate SSH to gears production will not affect Ganymede + existing and authorized user authentication.

    In our lab cisco gear, it was already configured with Ganymede + production for authentication and authorization server. Now, I am allowed to test SSH on these machines in the lab but I without disrupting other users who use the same laboratory-gears.

    So, I want to activate SSH version 2 on these machines in lab-however, when the user from a certain specific subnet, this user must be authenticated and authorized by the LABORATORY Ganymede +, but no production Ganymede +, however please note that lab-gears, that I'm testing with also already configured for production Ganymede + server as well. These devices in the laboratory must be able to do authentication and authorization of two different Ganymede + server based on subnet of users that he or she coming.

    Is - this plan is feasible? I am looking for documentation to implement the test of this method, is not successful.

    Your comments will be appreciated and evaluated.

    Thank you

    Rizwan James

    Adely,

    It won't work, the Ganymede authentication begins once the ssh connection is established, the n (router or switch) will open a Ganymede connection and send the start indicator to the RADIUS server in which the 'getusername' message is sent from the RADIUS server to the device and the user terminal. You cannot create an acl in order to choose which Ganymede servers you can authenticate either. When it comes to authenticate users from a specific subnet to a server specific RADIUS which is not the design of Ganymede, when you configure multiple servers in a group is to ensure high availability such that when a Ganymede server goes down you have a secondary school continue with authentication requests from the.

    Here is an example of how the RADIUS authentication is performed.

    http://www.Cisco.com/en/us/Tech/tk59/technologies_tech_note09186a0080094e99.shtml#comp_traffic

    Thank you and I hope this helps.

    Tarik Admani
    * Please note the useful messages *.

  • the AAA authentication enable default group Ganymede + activate

    I implement CSACS 4.0. First of all on the client, I will apply aaa authenticatio / authorization under vty. The issure if I use the followin command

    the AAA authentication enable default group Ganymede + activate

    What happens if I connect via the console? I need to enter a name of user and password?

    Here is my configuration

    AAA new-model

    Group authvty of connection authentication AAA GANYMEDE + local

    the AAA authentication enable default group Ganymede + activate

    authvty orders 15 AAA authorization GANYMEDE + local

    RADIUS-server host IP

    Radius-server key

    Ganymede IP source interface VLAN 3

    AAA accounting send stop-record an authentication failure

    AAA accounting delay start

    AAA accounting exec authvty start-stop group Ganymede +.

    orders accounting AAA 15 authvty power group Ganymede +.

    AAA accounting connection authvty start-stop group Ganymede +.

    line vty 0 15

    connection of authentication authvty

    authorization orders 15 authvty

    authvty connection accounting

    accounting orders 15 authvty

    accunting exec authvty

    Any suggestion will be appreciated!

    It should work because it is a guest message.banner whenever you try to connect (console/vty). I set it up on my router.

    If you have banner motd, it will appear as well (see below). So, I have to remove it to get only the aaa banner & prompt is displayed:

    ************************************************************

    Username: cisco, password: cisco (priv 15f - local) *.

    ************************************************************

    Any unauthorized use is prohibited.

    Enter your name here: User1

    Now enter your password:

    Router #.

    The configuration more or less looks like this:

    AAA new-model

    AAA authentication banner ^ is forbidden to use CUnauthorized. ^ C

    AAA authentication password prompt "enter your password now:

    AAA-guest authentication username "enter your name here:

    Group AAA authentication login default RADIUS

    local authentication AAA CONSOLE connection

    HTH

    AK

  • Question of console GANYMEDE

    Hello

    I just put GANYMEDE on some IOS devices, I'm only using a default group that is configured to provide level 15 privileges. As I use the same default group on the vty and console I would expect access by 2 methods are the same, but when I telnet in I get 15 directly to the guest level of #, but when I console in I always get prompt for the secret to activate it.

    All ideas

    Concerning

    Chris Ayres

    Chris

    You can find a behavior that Cisco has done for a long time (and probably for good reason). The authentication/authorization GANYMEDE someone directly implement default privilege mode works on the vty and does not work on the console.

    The reasoning is that if you make a mistake in the configuration of the authentication/authorization (very easy to do - especially if your understanding of what you are doing is a little weak), it would be easy to lock you out of the unit. By default it works on vty and does not work on console (prividing far to recover from problems). There is a hidden command that allows you to also have it working on the console (be very careful that your config works correctly before you activate it on the console).

    If you want it, try this:

    authorization AAA console

    HTH

    Rick

  • When no Ganymede + available-> connection with enabel PW

    Hello

    When I try to telnet my switch and the Ganymede server + is not available, I get an "authorization failed" message after typing the password enable :-(

    Here is some info:

    config switch:

    --------------

    AAA new-model

    AAA of default login authentication group Ganymede + activate

    AAA authentication login vtyauth group Ganymede + activate

    the AAA authentication enable default

    AAA authorization exec default group Ganymede +.

    Select the secret xxxxxxxx

    !

    radius-server ACS_SERVER_IP host

    RADIUS-server key xxxxxxxx

    !

    line vty 0 4

    password 7 xxxxxxxx

    connection of authentication vtyauth

    Debug aaa authentication:

    -------------------------

    1w0d: AAA: analyze name = tty2 BID type =-1 ATS = - 1

    1w0d: AAA: name = tty2 flags = 0 x 11 type = 5 shelf = 0 = 0 = 0 = channel 2 = 0 port adapter slot

    1w0d: AAA/MEMORY: create_user (0x524CC4) user = "ruser =" port = "tty2" rem_addr = "MY_IP_ADRESS" authen_type = ASCII = priv = 1 CONNECTION service

    1w0d: AAA/AUTHENTIC/START (3157593126): port = list 'tty2' = "vtyauth" action = LOGIN = LOGIN service

    1w0d: AAA/AUTHENTIC/START (3157593126): found the list vtyauth

    1w0d: AAA/AUTHENTIC/START (3157593126): method = Ganymede + (Ganymede +)

    1w0d: TAC +: send worm package AUTHENTIC/START = 192 id = 3157593126

    1w0d: AAA/AUTHENTIC (3157593126): status = ERROR

    1w0d: AAA/AUTHENTIC/START (3157593126): method = ENABLE

    1w0d: AAA/AUTHENTIC (3157593126): status = GETPASS

    1w0d: AAA/AUTHENTIC/CONT (3157593126): continue_login (user = '(undef)')

    1w0d: AAA/AUTHENTIC (3157593126): status = GETPASS

    1w0d: AAA/AUTHENTIC/CONT (3157593126): method = ENABLE

    1w0d: AAA/AUTHENTIC (3157593126): status = PASS

    1w0d: % LOGGER_FLUSHED-3-SYS: System was suspended from 00:00:00 for the console to debug output.

    1w0d: AAA/DISC/EXT tty2: 1002 / 'unknown '.

    1w0d: AAA/MEMORY: free_user (0x524CC4) user = "ruser =" port = "tty2" rem_addr = "MY_IP_ADDRESS" authen_type = ASCII = priv = 1 CONNECTION service

    Thank you!

    I would like to clarify a few permission options.

    Activate the mode is priv 15.

    Because of the line "exec authorization default aaa group Ganymede +" router wil request ACS to check that the user has private level 15, no matter it's the fallback solution. Your options are:

    1 set the Group of users in ACS to access a shell and especially of level 15 privileges.

    2. change your router config "default aaa authorization exec no" this is however less sure and not recommended.

    You can take "enable default of enable aaa authentication ' out of the config because you use Ganymede +, because as I said, if you use the authorization Ganymede + it's going to always check with ACS for this level of 15 private.

    See the attachment for a view where you enter at this level. By default, only the group can be configured like this, but there is a way to apply it to a user - this can be done by checking this attribute via the "interface Configuration" - then "Ganymede" options.

    Hope this helps, let us know the results.

  • ACS command authorization mode t conf report

    Hi, this is probably a quick, but I couldn't find a solution so far.

    We use authorization to order through ACS and are thus able to see (in the case of problems) which concluded the orders at that point on which device. But it doesn't work until someone goes into mode t conf. After that I get log entries in the ACS (Version 5). I can see all the orders and who entered the configuration mode, but nothing after that. Excerpt from the configuration:

    AAA new-model
    connection of AAA 5 authentication attempts
    enable AAA authentication login default group Ganymede + local line
    the AAA authentication enable default group Ganymede + activate
    AAA authorization exec default group Ganymede + local
    AAA authorization commands 1 default group Ganymede + local
    AAA authorization commands 15 default group Ganymede + local
    AAA accounting exec default start-stop Ganymede group.
    orders accounting AAA 1 by default start-stop Ganymede group.
    orders accounting AAA 15 by default start-stop Ganymede group.
    AAA - the id of the joint session

    My guess is that I'm hosting orders with that and so no permission is necessary.

    Any idea?

    Thank you

    Chris

    Hello

    What do you watch? Take a look at RADIUS accounting and authorization Ganymede reports.

    Thank you

    John

  • Failed authorization

    Nice day.

    Have a problem with authorization Ganymede +.

    config:

    AAA server Ganymede group + Ganymede-GDP

    10.0.255.18 private server key single-connection 123

    IP vrf forwarding mgmt

    Ganymede IP source interface FastEthernet0/2/0

    !

    AAA authentication login default local group Ganymede-GDP

    enable AAA, enable authentication by default group Ganymede-GDP

    authorization AAA console

    AAA authorization config-commands

    AAA authorization exec default local group Ganymede-GDP

    AAA authorization commands 15 default local group Ganymede-GDP

    AAA authorization network default local group Ganymede-GDP

    AAA accounting exec default group power Ganymede-GDP

    AAA accounting command 15 by default start-stop Ganymede-GDP group

    Debug:

    HIGHER (000002FC) / 0/READING: read all header 12-byte (wait 16 bytes)

    HIGHER (000002FC) / 0/READING: read all the reply 28 bytes

    HIGHER (000002FC) / 0/15D4A80C: treat the response packet

    MORE: Received the authentic GET_PASSWORD response status (8)

    HIGHER (000002FC) / 0/no: started 120 sec timeout

    MORE: Queuing request 764 AAA authentication processing

    MORE: treatment authentication continue id request 764

    MORE: Authentication continue package generated for 764

    HIGHER (000002FC) / 0/no: timer collapsed

    HIGHER (000002FC) / 0/WRITING/15D4A80C: started 5 sec timeout

    HIGHER (000002FC) / 0/WRITING: wrote together 24 bytes of the request

    HIGHER (000002FC) / 0/READING: read all 12 byte header (allow 6 bytes)

    HIGHER (000002FC) / 0/READING: read all the reply 18 bytes

    HIGHER (000002FC) / 0/15D4A80C: treat the response packet

    MORE: Received the status of response authentic PASS (2)

    MORE: Queuing request for AAA 764 transformation

    MORE: treatment authorization request id 764

    MORE: Protocol is set to None. Jump

    MORE: Sending service AV = shell

    MORE: Sending AV cmd *.

    MORE: Application created to 764 (ingener)

    MORE: previously set server group Ganymede-GDP 10.0.255.18

    HIGHER (000002FC) / 0/IDLE/15D4A80C: got immediately connect on the new 0

    HIGHER (000002FC) / 0/WRITING/15D4A80C: started 5 sec timeout

    HIGHER (000002FC) / 0/WRITING: wrote requests to 64 bytes

    MORE: Error in package header reading, stop the single sign-on

    HIGHER (000002FC) / 0/15D4A80C: treat the response packet

    MORE: Received invalid customer information in entry

    And another question-

    Why all the usernames on top of case?

    username ADMIN privilege 15 secret *.

    You can try without single-connection:

    AAA server Ganymede group + Ganymede-GDP

    10.0.255.18 private server

    ~ BR
    Jatin kone

    * Does the rate of useful messages *.

  • Port Console wireless connection problems

    I have a

    AIR-AP1242AG-A-K9

    When I connect my cable of console access point in that it puts me directly

    AP1.ciscow >

    compared to the username prompt.

    I do not have the 'local connection' or 'login' as a switch or a router command no vty/con / lines if just trying to figure out how I can point line con 0 port of the access point wireless to use the local username database configured on the access point itself.

    Any ideas?

    IOS 12.3 (7) JA1

    Hi Glen,

    Try aaa authorization console in configuration mode to add the RADIUS und / or authorization Ganymede on the console port in the world!

    Best regards

    Frank

  • Restrict calls remote modem with ACS

    Hello..

    Using ACS I try to limit the reverse telnet access to a modem which will later be used by TTYredirector. I want users to have access to the modem only. We are on 3.01 ACS (yes I know old)...

    When to use access to the network with device restrictions: 2065: * (being the assigned line port 2065) subscribe to the denied service service = raccess tty65 in the journal of the attempts failed.

    Do I need to add this service to the GANYMEDE + under Interface Config?... What is the params? I tried to just raccess in services which added a section under user/group that I chose but nothing else.

    I have the router:

    AAA for authorization Ganymede + default reverse-access group

    Welcome tips, google has attracted so far zero.

    Paul

    Paul

    It's not the NAR causing the problem-, this would result in a message 'filtered user' in the failed attempts.

    Looks like the problem is that your group configuration is not allow the raccess service.

    Because this isn't a standard service preset in ACS you config sys goto then Ganymede + (ACS) and define a service personalized Ganymede. Call it "raccess". In the settings group, you will then be to activate and define all the attributes you need.

    Mounira

  • Backup AAA for PIX

    I have a PIX with the following configuration:

    GANYMEDE + Protocol Ganymede + AAA-server

    AAA-server GANYMEDE + (inside) host 192.168.1.1 77777 timeout 5

    RADIUS Protocol RADIUS AAA server

    AAA-RADIUS (inside) host 192.168.1.1 Server 77777 timeout 10

    AAA-server local LOCAL Protocol

    AAA authentication GANYMEDE serial console +.

    AAA authentication enable console GANYMEDE +.

    order of AAA for authorization GANYMEDE +.

    AAA accounting correspond to aaa_acl inside RADIUS

    Everything works fine when the RADIUS server is available. When he is not available, I can log in with the username "PIX" and "password". The problem is, once I connected, I can't get permission to execute orders. Does anyone know of a command that is similar to the "if-certified" for routers that I can use?

    There is no method of backup for authorization for the PIX. As you know, if the RADIUS server is down, you can connect with "pix" and the password enable, but it doesn't help a permission. The only thing you can do is wait the GANYMEDE server back to the top. I'm sorry.

  • Integration of ASA with ACS

    Hi all

    I try to incorporate some ASA (8,6) with ACS (5,7), here is the configuration of the SAA.

    SH run | in aaa
    RADIUS Protocol RADIUS AAA server
    GANYMEDE + Protocol Ganymede + AAA-server
    AAA-server GANYMEDE + (management) host 10.243.14.24
    GANYMEDE + LOCAL console for AAA of http authentication
    authentication AAA ssh console GANYMEDE + LOCAL
    Console telnet authentication GANYMEDE + LOCAL AAA
    AAA accounting console GANYMEDE + ssh
    AAA accounting command 15 GANYMEDE privilege +.
    Console telnet accounting AAA GANYMEDE +.
    AAA authorization exec-authentication server
    AAA authorization GANYMEDE + loCAL command

    The problem is that I can get connected to ASA, but I can't type all commands in the CLI, I get the error message "failure of command approval.

    I have the same sets of commands and the shell profiles created for switches and it works perfectly.

    This is the behavior of ACS journals

    1. once I am having authenticated, I can see the logs in ACS with my username
    2 but when I type any commnds, is put down my permission and I see in the newspapers of the authorization of the CSA that this username is "enable_15".

    Can someone help me identify what the problem is

    Thank you
    Reverchon

    This happens when we have control permission enabled on ASA and try to run any command level 15 on SAA. To correct this problem you must check enable authentication of a user against GBA / GANYMEDE.

    AAA authentication enable console LOCAL + GANYMEDE

    After above listed licensing order, ASA will start to check the enable password against ACS/Ganymede and you use Ganymede activate the password that we can put on by user.

    ~ Jousset

  • AAA for switch Cat OS

    Hello

    I had a problem on the creation of a Shell command authorization for my cat OS switches. My GBA version is 3.3

    Help you enjoy

    Thank you

    Jong

    Jong,

    Here are the commands CAT OS

    Defined in function-

    Console > (enable) the RADIUS server [IP] [primary] value

    the value of Ganymede [key]

    resolve attempts Ganymede [number] (optional)

    Set the privilege of localuser [user] [password] 15

    local define authentication login

    define authentication login Ganymede [all | console | http | telnet] [primary]

    allow to Set authorization Ganymede exec + [deny | no] [console | telnet | time]

    activate the Set permission controls [config | all] Ganymede + [deny | no] [console |]

    Telnet | the two]

    Here is the link for establishing the command authorization, this example is for IOS, but you understand the concept, you should be able to set up on the BONE of cat.

    http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

    Kind regards

    ~ JG

    Note the useful messages

Maybe you are looking for