CEA and AAA (GANYMEDE +)

Hello

I have configuerd my acs with a custom attribute: shell: Admin = Admin. AAA with the ACE works very well... But now I can't log into my switches :-(I got permission to massage failed. Here is the debug aaa of the switch:

13:41:38.433 Jul 12 UTC: AAA: analyze name = tty2 BID type =-1 ATS = - 1

13:41:38.441 Jul 12 UTC: AAA: name = tty2 flags = 0 x 11 type = 5 shelf = 0 = 0 = 0 = channel 2 = 0 port adapter slot

13:41:38.441 Jul 12 UTC: AAA/MEMORY: create_user (0x16E1F28) user = ruser 'NULL' = 'NULL' ds0 = 0 port = 'tty2' rem_addr ='* '= ASCII service CONNECTION priv = authen_type = 1 initial_task_id = ' 0', vrf = (id = 0)

13:41:44.590 Jul 12 UTC: tty2 AAA/AUTHOR/EXEC (945064986): Port = 'tty2' list = "service = EXEC

13:41:44.590 Jul 12 UTC: AAA/AUTHOR/EXEC: tty2 (945064986) user ='* '

13:41:44.590 Jul 12 UTC: tty2 AAA/AUTHOR/EXEC (945064986): send service AV = shell

13:41:44.590 Jul 12 UTC: tty2 AAA/AUTHOR/EXEC (945064986): send AV cmd *.

13:41:44.590 Jul 12 UTC: tty2 AAA/AUTHOR/EXEC (945064986): found the 'default' list

13:41:44.590 Jul 12 UTC: tty2 AAA/AUTHOR/EXEC (945064986): method = Ganymede + (Ganymede +)

13:41:44.590 Jul 12 UTC: AAA/AUTHOR/TAC +: (945064986): user = *.

13:41:44.590 Jul 12 UTC: AAA/AUTHOR/TAC +: (945064986): send service AV = shell

13:41:44.590 Jul 12 UTC: AAA/AUTHOR/TAC +: (945064986): send AV cmd *.

13:41:44.799 Jul 12 UTC: AAA/AUTHOR (945064986): position of authorization = PASS_ADD

13:41:44.799 Jul 12 UTC: AAA/AUTHOR/EXEC: service treatment AV = shell

13:41:44.799 Jul 12 UTC: AAA/AUTHOR/EXEC: treatment AV cmd *.

13:41:44.799 Jul 12 UTC: AAA/AUTHOR/EXEC: treatment AV priv-lvl = 15

13:41:44.799 Jul 12 UTC: AAA/AUTHOR/EXEC: treatment AV shell: Admin = Admin

13:41:44.799 Jul 12 UTC: AAA/AUTHOR/EXEC: received unknown AV required: shell: Admin = Admin

13:41:44.799 Jul 12 UTC: AAA/AUTHOR/EXEC: permission DENIED

13:41:46.804 Jul 12 UTC: AAA/MEMORY: free_user (0x16E1F28) user ='* 'ruser = port 'NULL' = 'tty2' rem_addr =' * ' authen_type = AS

No idea what is the problem?

Best regards Dirk

Hi Dirk,

Any reason/specific requirement, you must configure the attribute, shell: Admin = Admin?

Outside of the device is rejected, because it is not able to understand, and in addition to this we made a required attribute.

Try this,

Shell: Admin * Admin

*-> Optional attribute

Kind regards

Prem

Tags: Cisco Security

Similar Questions

Configuration guide benefits of Cisco context directory Agent (CDA) and AAA (on ASA)

Hello

I would like to set up and test AAA on a Cisco ASA (5505 or 5510).
1 are there any other tools or server required to use this feature? And you have good configuration guides?

I already tested a CDA of Cisco. He was able to show users active directory and their IP equivalent.
2. do you have a brief explanation what kind of opportunities I have with this server/tool? It is perhaps usable for the AAA mentioned on the SAA?

Thanks in advance

Best regards

1. Yes, you need a Radius like Windows Server NPS or RADIUS server such as Cisco ACS/ISE server.

2. He's just a man in the middle of the ADC, you will always need an AAA server: radius or Ganymede (see # 1).

AAA Ganymede + with backup local auth

Hello

I try to get my switches/routers/etc to aaa allows you to restrict access to the configuration of the devices on my network. I have the aaa authentication to GBA v3.3 now, but for some reason any my local user no longer works. I would like to have the possibility of a connection to access local, just in case my ACS becomes unavailable.

My config on a 2950 is...

version 12.1

Service nagle

no service button

tcp KeepAlive-component snap-in service

a tcp-KeepAlive-quick service

horodateurs service debug uptime

Log service timestamps uptime

encryption password service

!

AAA new-model

connection authentication AAA SMOC-access group Ganymede + local select none

AAA authorization exec SMOC-access group Ganymede + local

AAA SMOC-access authorization network group Ganymede + local

AAA accounting exec SMOC-access arrhythmic group Ganymede +.

AAA accounting network SMOC-access group arrhythmic Ganymede +.

Select the secret xxx

activate the password xxx

!

username admin privilege 15 secret xxx

RADIUS-server host 172.20.2.25 key xxx

RADIUS-server key xxx

radius-server administration

line vty 0 4

exec-timeout 15 0

password xxx

exec SMOC-access permission

exec accounting SMOC-access

Synchronous recording

SMOC-access connection authentication

length 48

line vty 5 15

password xxx

!

The only time wherever the local user will work is when your RADIUS server is not available. You can test by putting in the wrong key of Ganymede and establishing a new seeiosn. Be sure to keep the original session open just in case :-)

HTH and rate please.

AAA GANYMEDE + accounting - CLI question by user not appear in the report of the ACS.

Can I know why CLI cancelled by the user does not show on GANYMEDE ACS accounting report. The length of time is displayed, but I also wanted to connect what is the commands issued by the user.

WHA is missing here?

enable AAA authentication login VTY P1_ACS local group

Group default AAA authorization exec local P1_ACS authenticated by FIS

AAA authorization exec CONSOLE none

AAA exec by default start-stop accounting P1_ACS group

AAA commands 5 default start-stop accounting P1_ACS group

AAA commands 15 arrhythmic default accounting P1_ACS group

Accounting logs command is stroed in the newspapers of the administration of Ganymede.

There is also a known issue on ver 4.1.1 and we must

apply the ACS 4.1.1.23.5 patch to fix the problem.

Patch for the unit is available on

http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-Soleng-3DES

The patch name: ACS SE 4.1.1.23.5 rollup

Acs hotfix for windows is available on

http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES

The patch name: ACS 4.1.1.23.5 rollup

CCIE Security

2600 router: faced with setting up the accounts user and AAA

I use SDM to configure easy VPN connection and being a newbie I'm fighting with AAA and the creation of the necessary user account. The SDM Assistant said I must have active AAA and a user account. I found this doc from Cisco using google:

http://www.Cisco.com/en/us/docs/iOS/12_2/security/configuration/guide/scfathen.html#wp1000971

and following the instructions, I entered these commands in the cli:

Router (config) #aaa new-model

Router (config) #aaa authentication login default local

but my normal connection and the user name and password do not work in the CLI as soon as I did it. I have the router powerdown and restart it to retrieve the control.

To be honest, I found things really hard Cisco instructions, I don't understand method-list RADIUS Kerberos GANYMEDE stuff so I was wondering if there was simple instructions there to set up the user account necessary to go forward with the vpn Wizard easy in SDM.

Thanks for the pointers.

Hello Anthony,.

Once you enable the aaa new-model, all applied to the invalid lines previous authentication mechanisms. That's why you should do one of the following values

Do not issue 'aaa authentication login default local' or if you are forced by SDM, or create a username for yourself with high private, because this command will effect console or VTY lines that their authentication is left by default and require the username and password each time you connect, or you can create a list that has 'no' as a method and apply to the console line to ignore the console authentication.

username anthony priv 15 password xxxx

Once you enter a username as shown above, you can connect via the console with this username and pass if "aaa authentication login default local" is issued.

RADIUS and Ganymede methods are servers that has the ability to contain the names of users with more advanced configurations. For simple authentication, you can use local authentication, this is why you should not mess with Radius or Ganymede at the moment.

Concerning

PIX, PDM and AAA issues

I have a PIX 520 in the laboratory running 6.3.3 and PDM 3.0. I tested AAA authentication and authorization to our ACS server and run into problems.

I have two groups put in place on our ACS server. A group can be accessed freely, the other group is set to the top with a Shell command authorization set that limit orders so that they can watch the running-config and a few other things. Users of both groups can connect to the PDM or SSH/telnet/series in the unit and are authenticated and authorized correctly.

The configuration below works fine, until I pull the ACS server off the network. Because it is not any backup authentication or authorization to order method I am dead in the water. When this happens, I can always connect via the serial console, by using the 'pix' username and password enable, I just cannot run the command 'Enable' mode privlieged or any other control besides. (I get an error "Permission has no orders").

Here's a current configuration:

GANYMEDE + Protocol Ganymede + AAA-server

AAA-server GANYMEDE + (inside) host 1.2.3.4 123456 timeout 5

Console telnet authentication GANYMEDE AAA +.

the AAA console ssh GANYMEDE authentication +.

AAA authentication GANYMEDE serial console +.

AAA authentication enable console GANYMEDE +.

Console AAA authentication http GANYMEDE +.

order of AAA for authorization GANYMEDE +.

Is it possible to set up a backup method for approval of authentication and control? If not, is there any other way the problem I'm running into?

Let me know if you need more info. Thank you!

Hello

Sorry, I missed this earlier. There is a failure on the PIX for this and we have an open enhancement request to add several methods of authorization to the PIX - CSCea04538. At this point, your best bet is to bug of your account team to get this feature added to the code of PIX to come. Sorry for the inconveinence.

Scott

ISE and AAA configuration

Hi guys,.

I use that one server as primary and cisco ISE says there (ACS + NAC) features. I want to activate the AAA on the box rightnow ISE services.

I used the ACS earlier and you want to configure the same functions in this regard.

Authentication of devices in ISE when remote login for switch/router/firewall.

Authorization of the form controls what ISE based on the user login

Posting the details of command and connection and disconnection from the user.

I have very basic knowledge of ISE but I used ACS througly.

Please help in the question above.

Thanks in advance

Concerning

You've probably used GANYMEDE + with your ACS; You cannot migrate this functionality to ISE does not support the ISE GANYMEDE +. You must take the device admin stuff on GBA.

Problem with MS IAS and AAA

I am AAA configuration. I'm setting up a router so that when users access using the vty line, they must be authenticated by Active Directory. I configured AAA on the router and on Microsoft Windows Server 2003 IAS. But when I type 'test group aaa AUTH administrator legacy xxxxxxx' it gives the following error

Test of authentication attempting AUTH server group using RADIUS

* 01:01:04.991 Mar 1: AAA: analyze IDB name = type =-1 ATS = - 1

* 01:01:04.991 Mar 1: AAA/MEMORY: create_user (0x6417FF80) = user tweak "Administrator" = "NULL" ds0 = 0 port = "rem_addr = 'NULL' = ASCII service CONNECTION priv = authen_type = 1 initial_task_id = '0', vrf = (id = 0) no answer authoritative of any server.

RTR #.

* 01:01:23.647 Mar 1: RADIUS-4-RADIUS_DEAD %: 172.16.1.243:1812, 1813 RADIUS server does not respond.

* 01:01:23.655 Mar 1: AAA/MEMORY: free_user (0x6417FF80) = user tweak "Administrator" = "NULL" port = "rem_addr = 'NULL' = ASCII service CONNECTION priv = authen_type = 1 vrf = (id = 0)

* 01:01:23.655 Mar 1: RADIUS-4-RADIUS_ALIVE %: 172.16.1.243:1812, 1813 RADIUS server is marked in life.

I also used the default ports for authentication, but still no use. I am able to ping router radius server and can ping router of the radius server.

The Radius in VMWARE Server installed on and the router is emulated in Dynampis.

Here is the configuration of the router

RTR #sh run

Building configuration...

Current configuration: 863 bytes

!

version 12.4

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

hostname RTR

!

boot-start-marker

boot-end-marker

!

!

AAA new-model

!

!

RADIUS AAA server AUTH group

ACCT-port of the server 172.16.1.243 auth-port 1812 1813

!

RADIUS authentication AUTH of AAA connection group.

!

AAA - the id of the joint session

memory iomem size 5

!

!

IP cef

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

interface Loopback1

no ip address

!

interface FastEthernet0/0

IP 172.16.1.241 255.255.255.0

automatic duplex

automatic speed

!

IP http server

no ip http secure server

IP route 0.0.0.0 0.0.0.0 172.16.1.1

!

!

!

radius of the IP source interface FastEthernet0/0

!

!

RADIUS-server host 172.16.1.243 auth-port 1812 acct-port 1813 key xxxxx

!

control plan

!

!

!

!

!

!

!

!

!

!

Line con 0

line to 0

line vty 0 4

authentication of connection AUTH

!

!

end

Do you see any hits on the 2003 event logs? If no request is not the RADIUS.

Do not forget that dynampis some time shows abnormal behavior. Since you are able to ping, then connectivity seems to be just fine here.

Check the shared secret key and make sure that the radius ports are open, check to see if there is a firewall between the two.

Kind regards

~ JG

The CEA and the APC data
Hello!

I can see data at the PCA and ECA, but I haven't posted any journal. This issue is all... unbalanced balances. Would that be a rule populating this nodes (APC and CEA)?
I noticed certain rules whose values are not explicit. This means that these rules apply to the tree of the integer value (including the PCA and CEA)? Is it possible to limit these rules so that they perform only to EC, ECT, PC, PCT and Prop?
Thank you!

M.
Yes, if a value restriction is not placed around the rules, then the rules will be run for all of the dimensions of value that can easily generate data being stored in the dimension of value ECA/APC.

Once the data is loaded here, the only way to remove it is usually by a clear routine in the rules.

The solution is to write a check for the following

A rule preventing them from running at the CEA is easy, just check out:

If HS. Value.Member <> '' then
"Make your code
End If

is actually calculated. If you need to change things up a bit to make this one. With the Parent USD, it would be actually HS. Value.Member = 'Adjs USD' But the best approach is the following:

If HS. Value.IsTranscurAdj <> true then
"Make your code
End If

You can combine the two lines to exclude both.

Edit:
Also, be careful with the rules running a PC as they can substitute your naturally translated quantity, making it so your system does not use Exchange rates. The rules do not work since ECT ECT or PCT = EC + ECA anything. Same thing with the PCT.

the AAA authentication enable default group Ganymede + activate

I implement CSACS 4.0. First of all on the client, I will apply aaa authenticatio / authorization under vty. The issure if I use the followin command

the AAA authentication enable default group Ganymede + activate

What happens if I connect via the console? I need to enter a name of user and password?

Here is my configuration

AAA new-model

Group authvty of connection authentication AAA GANYMEDE + local

the AAA authentication enable default group Ganymede + activate

authvty orders 15 AAA authorization GANYMEDE + local

RADIUS-server host IP

Radius-server key

Ganymede IP source interface VLAN 3

AAA accounting send stop-record an authentication failure

AAA accounting delay start

AAA accounting exec authvty start-stop group Ganymede +.

orders accounting AAA 15 authvty power group Ganymede +.

AAA accounting connection authvty start-stop group Ganymede +.

line vty 0 15

connection of authentication authvty

authorization orders 15 authvty

authvty connection accounting

accounting orders 15 authvty

accunting exec authvty

Any suggestion will be appreciated!

It should work because it is a guest message.banner whenever you try to connect (console/vty). I set it up on my router.

If you have banner motd, it will appear as well (see below). So, I have to remove it to get only the aaa banner & prompt is displayed:

************************************************************

Username: cisco, password: cisco (priv 15f - local) *.

************************************************************

Any unauthorized use is prohibited.

Enter your name here: User1

Now enter your password:

Router #.

The configuration more or less looks like this:

AAA new-model

AAA authentication banner ^ is forbidden to use CUnauthorized. ^ C

AAA authentication password prompt "enter your password now:

AAA-guest authentication username "enter your name here:

Group AAA authentication login default RADIUS

local authentication AAA CONSOLE connection

HTH

AK

GANYMEDE + authentication and authorization on IOS XR

Hi all

I tried to connect several devices IOS - XR on our laboratory (ASR, RSG and CRS) to our server GANYMEDE + (Cisco Secure ACS, release 4.2 (0)). The objective is that the GANYMEDE would achieve authentication authorization and control the user for all CLI connection non-console (telnet and SSH) types. I don't use any HTTP server to access devices and I want to keep the connection to the console to the powers the.

I have several devices connected to this GANYMEDE with the following configuration related to AAA. I would like to implement the same principles on the IOS - XR, but given that the command structure is different and I could not understand how to do this using the Manuel, I need your expert help:

AAA new-model

!

!

AAA Ganymede Server + acs servers group

Server

!

AAA authentication login default local

AAA authentication login local_vty local

AAA authentication local console connection

AAA authentication login acs acs-servers-group local group

AAA authorization exec default group Ganymede +.

AAA authorization commands 15 acs_cmds group Ganymede +.

AAA authorization commands 15 local_cmds no

!

!

!

!

!

AAA - the id of the joint session

!

Saute...

!

username * secret privilege 15 5 *.

!

Saute...

!

GANYMEDE server host 7 key

RADIUS-server application made

!

Saute...

!

Line con 0

StopBits 1

line to 0

StopBits 1

line vty 0 4

exec-timeout 0 0

privilege level 15

authorization orders 15 acs_cmds

DCC connection authentication

preferred transport telnet

transport of entry all

line vty 5 15

exec-timeout 0 0

* Note: Device to IOS - XR run versions 4.1.2 and 4.2.0

Many thanks for any help that you could provide

Lior

Lior,

You must return the task ID and/or groups of task in order to make this work. According to my experience, working with these platforms is it is really unnecessary to proceed with approval of order if you trust the task-ID/groups, which are integrated in the ASR.

The flow for Ganymede command auth for these devices is a bit different than your IOS essentially traditional (unless something has changed in the last 6 months), if the user tries to run a command, the Ganymede auth command is triggered if the user executes a command that falls under the umbrella of task. If she's not here command permission is never triggered.

Here are some documents that I feel will help you:

https://supportforums.Cisco.com/docs/doc-15944

Thank you

Tarik Admani
* Please note the useful messages *.

Configuration of RADIUS and accounting AAA + PIX-515E

Dear All;

I want to put the accounting of PIX.

Here is the composition of the equipment.

ACS SE: 4.1.1.23.5

PIX 515E: 7.0 (6)

PIX of setting is as follows.

GANYMEDE + Protocol Ganymede + AAA-server

AAA-server GANYMEDE + host xx.xx.xx.xx

key xxxxx

order of accounting AAA GANYMEDE +.

Console telnet accounting AAA GANYMEDE +.

Thus, the configuration setting was written in ACS.

But the user name is enable_15. (attached 1.jpg)

Is it a restriction?

Kind regards

Reiji

Hi Marilou,

Looks like we have the authority to command configured on the pix. You must enable authentication configured on the RADIUS server then only we would get username is accounting, unlike pix Device IOS doesn't send user name to the RADIUS server, he would send enable_15 as username for all users.

Configure the following command to make it work.

AAA authentication enable console LOCAL + Ganymede

HTH

-Philou

Total connection time how to account with GANYMEDE.

Hi, we have the following scenario, this company uses two methods for remote access (for employees only): through RAS connections, or by using VPN clients to connect to a 535 PIX over the Internet. We need to do accounting for the total connection time, in the case of RAS connections is easy, we run AAA GANYMEDE + between the RA and the ACS (ver 2.1) and check the start/end time. But with the Internet connection start/stop time reflects the total time for each connection by user i.e. telnet, snmp, ftp, etc. but what connections can be simultaneous (or not), so we can not just add every time total of connections to a single user, it could be greater than the actual time that this user has been really connected. So how could account us for in this case total connection time?

Thanks in advance for your recommendations

Unfortunately you don't have. Accounting for users in the PIX VPN is on the Board to design for some time now, but so far has not been implemented. You can check the status on bug ID CSCdu01327 for other updates.

banner of AAA authentication

I have configured the banner authentication aaa and aaa fail message on a router running 12.1 (15) - authentication is done by ACS 3.0.2 which works very well.

Problem - the banner of authentication does not appear (nothing is outside of "username:"-don't not even 'check' user access) If you enter a wrong password, but the failure message. If I console in and unplug the interface while the two messages very well.

Workaround solution - if I set up a connection "banner" then everything works fine too, but I can't work out why does not display the "banner of aaa authentication."

I suspect ACS prevents the message, but I can't work out how - can anyone suggest a solution?

Thank you very much!

By the way that the command "radius-server administration '? It doesn't seem to be documented, and it has no effect or not.

The banner command does not work if you make the RADIUS authentication, it will not work if you do a RADIUS/local/etc. This is normal, cause with Ganymede you can have the sending server banner and guests down (even if with all I don't think that you can do) and so if you have configured authentication GANYMEDE the router does not take into account the banner command and waits to see if she gets a new one from the server RADIUS itself. If it is not it will simply display the usual guests.

As for the 'radius-server admin' command, honestly, I have no idea, never seen anyone use. Online help says "start the daemon of Ganymede management administrative messages", but what really I don't know, maybe someone else can help.

When no Ganymede + available-> connection with enabel PW

Hello

When I try to telnet my switch and the Ganymede server + is not available, I get an "authorization failed" message after typing the password enable :-(

Here is some info:

config switch:

--------------

AAA new-model

AAA of default login authentication group Ganymede + activate

AAA authentication login vtyauth group Ganymede + activate

the AAA authentication enable default

AAA authorization exec default group Ganymede +.

Select the secret xxxxxxxx

!

radius-server ACS_SERVER_IP host

RADIUS-server key xxxxxxxx

!

line vty 0 4

password 7 xxxxxxxx

connection of authentication vtyauth

Debug aaa authentication:

-------------------------

1w0d: AAA: analyze name = tty2 BID type =-1 ATS = - 1

1w0d: AAA: name = tty2 flags = 0 x 11 type = 5 shelf = 0 = 0 = 0 = channel 2 = 0 port adapter slot

1w0d: AAA/MEMORY: create_user (0x524CC4) user = "ruser =" port = "tty2" rem_addr = "MY_IP_ADRESS" authen_type = ASCII = priv = 1 CONNECTION service

1w0d: AAA/AUTHENTIC/START (3157593126): port = list 'tty2' = "vtyauth" action = LOGIN = LOGIN service

1w0d: AAA/AUTHENTIC/START (3157593126): found the list vtyauth

1w0d: AAA/AUTHENTIC/START (3157593126): method = Ganymede + (Ganymede +)

1w0d: TAC +: send worm package AUTHENTIC/START = 192 id = 3157593126

1w0d: AAA/AUTHENTIC (3157593126): status = ERROR

1w0d: AAA/AUTHENTIC/START (3157593126): method = ENABLE

1w0d: AAA/AUTHENTIC (3157593126): status = GETPASS

1w0d: AAA/AUTHENTIC/CONT (3157593126): continue_login (user = '(undef)')

1w0d: AAA/AUTHENTIC (3157593126): status = GETPASS

1w0d: AAA/AUTHENTIC/CONT (3157593126): method = ENABLE

1w0d: AAA/AUTHENTIC (3157593126): status = PASS

1w0d: % LOGGER_FLUSHED-3-SYS: System was suspended from 00:00:00 for the console to debug output.

1w0d: AAA/DISC/EXT tty2: 1002 / 'unknown '.

1w0d: AAA/MEMORY: free_user (0x524CC4) user = "ruser =" port = "tty2" rem_addr = "MY_IP_ADDRESS" authen_type = ASCII = priv = 1 CONNECTION service

Thank you!

I would like to clarify a few permission options.

Activate the mode is priv 15.

Because of the line "exec authorization default aaa group Ganymede +" router wil request ACS to check that the user has private level 15, no matter it's the fallback solution. Your options are:

1 set the Group of users in ACS to access a shell and especially of level 15 privileges.

2. change your router config "default aaa authorization exec no" this is however less sure and not recommended.

You can take "enable default of enable aaa authentication ' out of the config because you use Ganymede +, because as I said, if you use the authorization Ganymede + it's going to always check with ACS for this level of 15 private.

See the attachment for a view where you enter at this level. By default, only the group can be configured like this, but there is a way to apply it to a user - this can be done by checking this attribute via the "interface Configuration" - then "Ganymede" options.

Hope this helps, let us know the results.

CEA and AAA (GANYMEDE +)

Similar Questions

Maybe you are looking for