Cisco IOS - XR with ACS

Similar Questions

• Cisco IOS server certificate - is it supported on routers 857/877

  Please can someone confirm if the certificate of Cisco IOS server feature is supported on the Cisco 857 router. We have checked with the Software Advisor and no picture for the 857 when the server certificate of IOS feature is selected, but advancedIpservices image v 12.4 (11) T arrives to the 877.

  The two 857/877 supports IOS server Certificate

  to 857 you need the ADVANCED SECURITY feature set 12.3 (14) YT

  http://Tools.Cisco.com/ITDIT/CFN/dispatch?Act=feature&ImageID=619356&platformFamily=306&featureSet=8&featureSelected=2208&availSoftwares=iOS

  877 offers more IOSes with Certificate server supports when I chose the certificate server Cisco IOS feature with featured navigator I got a lot of IOSes supporting this feature

  Go to navigator feature

  http://Tools.Cisco.com/ITDIT/CFN/JSP/index.jsp

  Select search by function and select element Cisco IOS Certificate Server, you can filter the results by platform (857/877)

  M.

• Cisco 1121 unit installed with ACS 4.2 SE version

  Hi all

  Sorry, we could install version to 4.2 on the Cisco 1121 device acs?

  Could we use 1120 ACS 4.2 image DVD to install on 1121?

  Or any workaround?

  THX!

  Calvin Su

  Hi Calvin,

  Unfortunately, 1121 hardware doesn't support version 4.2.0 acs so downgrade is not an option for 1121. It can only be used with ACS 5.x

  Kind regards

  Jousset

  The rate of useful messages-

• authenticate the cisco WLC 5508 with cisco ACS 1120 (version 5.0) using GANYMEDE +.

  My installation has cisco WLC 5508 and ACS 1120 ver 5.0. How to authenticate users who access to the WLC via the ACS 1120 users GANYMEDE +. I am able to authenticate users for routers and cisco switches, but when I try the same for the CMT, it fails.

  Can someone explain please the config/basic steps that must be configured on both services ACS & WLC.

  You use plain vanilla 5.0 or have installed patches?

  the ACS 5.1 has new GANYMEDE related functionaity, including support for custom services and attributes. If they are necessary for the WLC yo need support it would improve.

  He could also relevant corrective patch from calendar 5.0 but I can't find any relevant specific at this stage CDETS

• Permission of AAA with ACS Shell-games

  Hi all

  I use a router cisco 871 running that version 12.4 (11) T advanced IP Services.

  I have difficulty getting permission to AAA to work properly with ACS.

  I am able to configure ACS fine users and assign them shell and private level 7.

  I then install a set of Shell Auth and enter the issuance of orders and configure.

  When I log in as a user, I get an exec with a level of 7 priv no problem, but I never seem to be able to

  to access global configuration mode by typing in conf (or set up) terminal or t.

  If I type con? It is the only command connect, configure is never an option...

  The only way I can get this to work is by entering the command:

  privilege exec level 7 Configure terminal

  I thought the whole purpose of the ACS Shell Set to provide this information to the router?

  It's frustrating

  The ACS server is set up with the Shell Set named Level_7 order authorization

  It is attributed to the relevant groups and I have the 'Unmatched orders' option selected in the 'license '.

  The "unmatched Args allowed" is also selected.

  See an extract of my IOS config below:

  AAA new-model

  !

  !

  AAA group Ganymede Server + ACS

  Server 10.90.0.11

  !

  AAA authentication login default group local ACS

  AAA authorization exec default group ACS

  AAA authorization commands 7 by default local ACS group

  !

  Cisco radius-server host 10.90.0.11 keys

  !

  !

  privilege exec level 7 Configure terminal

  privilege exec level 7 set up

  privilege exec level 7 show running-config

  privileges exec level 7 show

  !

  Hope you can help me with this one...

  PS I tried with orders of privilege on the router and remove the router and just keep getting the same results!

  Hello

  So now,

  You're actually using two different options and trying to couple then together. What I would say is you either use authorization Command Shell function or play with level privileges. Not mixed together both.

  Above scenario might work, if you move orders to focus on level 6 and give the 7 user privilege level. He couldn't be sure. Try it and share the results.

  That's what I suggest that orders back to a normal level.

  Provided below are the steps to set up the shell command authorization:

  -------------------------------------------

  Follow these steps on the router:

  -------------------------------------------

  ! - is the desired username

  ! - is the password

  ! create - us a local user name and password

  ! - in case we are not able to get authenticated via

  ! - our Ganymede server +. To provide a backdoor.

  password username 15 privilege

  ! - To apply the aaa on the router model

  AAA new-model

  ! - Following command is to specify our ACS

  ! - location of the server, where is the

  ! - ip address of the ACS server. And

  ! - is the key which must be the same during the FAC and the router.

  radius-server host key

  ! - To get the authentication of users through ACS, when they try to log - in

  ! - If our router is unable to join the ACS, we will use

  ! - our local user name & the password that we created above. This

  ! - we prevent locking.

  AAA authentication login default group Ganymede + local

  AAA authorization exec default group Ganymede + local

  AAA authorization config-commands

  AAA authorization commands 0 default group Ganymede + local

  AAA authorization commands 1 default group Ganymede + local

  AAA authorization commands 15 default group Ganymede + local

  ! - Sequence of commands are for posting to the activity of the user.

  ! - When the user connects to the device.

  AAA accounting exec default start-stop Ganymede group.

  AAA accounting system default start-stop Ganymede group.

  orders accounting AAA 0 arrhythmic default group Ganymede +.

  orders accounting AAA 1 by default start-stop Ganymede group.

  orders accounting AAA 15 by default start-stop Ganymede group.

  --------------------

  ACS configuration

  --------------------

  [1] Goto 'Profile components shared' a-> 'Shell command authorization sets'-> 'Add '.

  Provide any name at all.

  provide sufficient description (if necessary)

  (a) for full administrative access set.

  In the unmatched controls, select 'allow '.

  (b) for all access limited.

  In the unmatched controls, select "decline."

  And in the field above 'Add a command' box, type in the box below and the main command "permit unmatched Args" Order under allow.

  For example: If we want the user to only have access to the following commads:

  opening of session

  Logout

  output

  Enable

  Disable

  Show

  Then, the configuration should be:

  -----------------------------------------------

  -Allowed unparalleled Args.

  -----------------------------------------------

  connection permit

  permit disconnection

  exit permits

  Select the permit

  disable the permit

  license terminal configuration

  ethernet interface license

  permits 0

  to see the running-config

  ------------------------------------------------

  in example above, user will be allowed to run only from commands. If the user tries to run the interface ethernet 1', the user will get "failed command authorization.

  [2] press 'submit '.

  [3] Goto Group on which we want to apply these command authorization set. Select 'change settings '.

  (more...)

• Use EAP-FAST with ACS 5.2

  Hello everyone,

  I use Active Directory as external identity for ACS store. In ACS 5.2 Web interface to navigate to of access policies > Access Services and going tab protocols allowed , the only protocol that works is PAP/ASCII. In the documentation of ACS, it is described as the less secure authentication for ACS.

  I would use EAP-FAST. Should what command I enter on the aaa client to work with? The router's IOS version 12.4.

  Here is his aaa configuration:

  AAA new-model
  !
  !
  AAA server Ganymede group + ACSTEST1
  Server 1.1.1.1

  2.2.2.2 Server

  !
  AAA authentication banner ^ CCCCCC * GANYMEDE + server is not available, use local defC
  AAA-authentication failure message ^ C
  AAA authentication login default group Ganymede +.
  Connection authentication AAA VTY Ganymede + local group
  Connection authentication AAA CONSOLE Ganymede + local group
  the AAA authentication enable default group Ganymede + activate
  AAA authorization exec default group Ganymede + authenticated if
  AAA authorization commands 1 default group Ganymede + authenticated if
  AAA authorization commands 15 default group Ganymede + authenticated if
  AAA accounting exec default start-stop Ganymede group.
  orders accounting AAA 15 by default start-stop Ganymede group.
  AAA accounting system default start-stop Ganymede group.
  !
  !
  AAA - the id of the joint session

  I have found no help in the Cisco IOS Security command reference or in the Internet.

  Thank you for your help.

  Best regards, Andy

  Hello

  GANYMEDE + authentication is only supported by the PAP, is not possible to use EAP-FAST.

  Please keep in mind that the EAP methods using RADIUS, and not with GANYMEDE.

  HTH,
  Tiago

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• IOS router + VPN + ACS downloadable IP ACL

  I want to use the function "Downloadable IP ACL" 3825-router VPN (OI 12.4 T) in combination with a CBS.

  In many documents and discussions, I read that it is possible to use the DACLs on "devices Cisco IOS version 12.3 (8) T or higher.

  Authentication and authorization by the AEC works and the device gets some settings of the av-pair-feature.

  I have tried several things to apply the DACL as the use of av pairs or ACS "Downloadable IP ACL" function, but nothing works.

  In the debug log, I see that the av pair is transmitted to the device, but it is not used.

  --> Can you tell me, is it possible to use the DACLs on the IOS routers?

  --> How does it work? What can I change?

  --> Is there a good manual to apply it?

  Thanks for your help!

  Martin

  It would be useful to know the PURPOSE of what you're trying to do...

  AFAIR client config mode requires no ACL for filtering short tunnel split ACL... and I have no way to test right now.

  If you want to allow or not some clients access to certain subnets why not investigate tunneling ACL and vpn-filter in combination with ACS split will rather than for the DACL.

• Cisco IOS Software Internet Key Exchange vulnerability Enquiry

  Products affected

  Cisco IOS devices are vulnerable when you run a software image of an affected version of the Cisco IOS software that does not support the IKE version 2 (IKEv2) and is configured to use IKE version 1 (IKEv1).

  Vulnerable products

  This vulnerability affects Cisco IOS 15.1GC, 15.1 T software version trains and 15.1XB. No other Cisco IOS software release trains are affected.

  Ref: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-ike

  If we use "not affected (for example; version". 12.4, 15.0 releases)"and configured with IKE version1?  Can it be affected by this vulnerability?

  Subsys router #sh | include ikev2

  ikev2_cli_registry registry 1.000.001

  Thank you best regards &,.

  Ye

  You are not affected by this vulnerability.

  As described in the notice - "There is no affected 12.4 based rejection" and «There is no rejection of base affected 15.0»

• Cisco IOS router 837 - configure DDNS / dynamic DNS

  I have an Internet, connected to my Cisco router link. The package that I subscribed comes with a dynamic IP address. I said me, if I need remote access in the Cisco router, I need to enable the DDNS function. Is this possible on a Cisco router? I have been informed that this feature is not supported. Please help me

  Hi Bro

  Yes, Cisco ASA and Cisco IOS router supported DDNS. Just make sure you have the right version of IOS, which you could refer to this URL of Cisco http://www.cisco.com/en/US/docs/ios/12_3/12_3y/12_3ya8/gt_ddns.html#wp1202953.

  Please refer to the config below made with dyndns.org.

  !

  hostname INT-RTR1
  !
  IP domain name dyndns.org
  8.8.8.8 IP name-server
  !
  IP ddns update DynDNS method
  HTTP
  Add http://ramraj: [email protected] / * //nic/update?system=dyndns&hostname=&myip=>
  maximum interval of 30 0 0 0
  minimum interval 30 0 0 0
  !
  interface Dialer1
  IP ddns update hostname INT - RTR1.dyndns.org
  IP ddns update DynDNS
  !

  Note: hostname = INT - RTR1.dyndns.org was the host added/registered in the dyndns.org site.

  Note: Press Ctrl + V, then just type the symbol? When to add the CLI adds http://___ above.

  Note: ramraj:cisco123 is simply an example of an IDs in dyndns.org.

  You can also refer to this URL for more details http://www.petri.co.il/csc_configuring_dynamic_dns_in_cisco_ios.htm

  P/S: If you cela this comment is useful, please rate well :-)

• Local use and authentication AD with ACS 5.6

  I have an ACS 5.6 unit configured to use AD authentication for my default network access and rules. It works very well.

  I tried to implement some features, put them in a group and give only locally defined ACS to users access to these devices.

  Problem, after you have created the local accounts on ACS creates a group of local identity, and trying to authenticate with a camera, I always get "object not found in the identity store.

  Is there a way to have the hybrid authentication like that? How do we?

  Hi Colin,

  One thing that comes to mind is "sequence of identity store. Ensure that you have "internal users" listed in there otherwise that demand would never be mapped against the internal users.

  I also want to double check the source of identity under default device admin or any service that you created. Ensure that internal users.

  Take a look at the document below for more details on the identity store sequence.

  https://supportforums.Cisco.com/document/103901/ACS-5x-identity-store-se...

  Kind regards

  Kanwal

  Note: Please check if they are useful.

• HSRP in Cisco IOS - XE

  Hi, just got our Cisco 3850 switch newly shipped with IOS - XE. Here is an example of the command 'show version '.

  Switch(Config-if) #do show worm
  Cisco IOS software, IOS - XE software, catalyst L3 Switch (CAT3K_CAA-UNIVERSALK9-M), Version 03.02.03.SE VERSION SOFTWARE (fc2)
  Technical support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2013 by Cisco Systems, Inc.
  Last update Mon 23 - Sep - 13 18:24 by prod_rel_team

  Cisco IOS Software - XE, Copyright (c) 2005-2013 by cisco Systems, Inc.
  All rights reserved.  Some components of the Cisco IOS - XE software are
  distributed under the GNU General Public License ("GPL") Version 2.0.  The
  software licensed code GPL Version 2.0 is a free software that comes
  WITHOUT ANY WARRANTY.  You can redistribute it and/or modify it
  Code GPL under the terms of the GPL Version 2.0.
  (http://www.gnu.org/licenses/gpl-2.0.html) For more details, see the
  documentation or "Mention of license" file that accompanies the IOS - XE software.
  or the applicable URL listed on the brochure that accompanies the IOS - XE
  software.

  ROM: IOS - XE ROMMON
  BOOTLDR: CAT3K_CAA Boot Loader (CAT3K_CAA-HBOOT-M) 1.18 Version, SOFTWARE VERSION (P)
           
  The availability of HK-CSW001 is 4 hours, 0 minutes
  Availability for this command processor is 4 hours, 3 minutes
  System return to the ROM to reload
  System image file is "flash: packages.conf.
  Reload last reason: reload the command

  This product contains cryptographic features and is under the United States
  States and local laws governing the import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third party approval to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. laws and local countries. By using this product you
  agree to comply with the regulations and laws in force. If you are unable
  to satisfy the United States and local laws, return the product.

  A summary of U.S. laws governing Cisco cryptographic products to:
  http://www.Cisco.com/WWL/export/crypto/tool/stqrg.html

  If you need assistance please contact us by mail at
  [email protected] / * /.

  License level: Ipbase
  License type: Permanent
  Then reload license level: Ipbase

  Cisco WS-C3850-24 t (MIPS) processor with K 4194304 bytes of physical memory.
  Card processor ID FOC2007U0YG
  2 virtual Ethernet interfaces
  28 gigabit Ethernet interfaces
  4 ten interfaces Ethernet Gigabit
  2048K bytes of non-volatile configuration memory.
  K 4194304 bytes of physical memory.
  250456K bytes of Crash crashinfo files:.
  1609272K bytes of Flash Flash:.
  0K bytes of Flash model to usbflash0:.
  0K bytes of to webui::.

  MAC Ethernet base address: 00:cc:fc:d1:55:80
  Motherboard Assembly number: 73-16297-04
  Motherboard serial number: FOC20061W6G
  Revision number of the model: Z0
  Motherboard revision number: B0
  Model number: WS-C3850-24 t
  System serial number: XXXXXXXXXXX

  My problem is, I tried to HSRP 1 before using a plotter package and thought since he succeeded, I could do it here in this new switch, but after reading a few articles 1 HSRP went and here HSRP 2 but after I typed in the

  "interface vlan XXX".

  "ip address subnet XXX.XXX.XXX.XXX.

  command "watch version 2" is not available or the day before ipXXX XX. is not available either.

  I'm stuck with this problem now, appreciate any help from you guys.

  Thank you

  The f

  Hello Jeff,.

  We were also quite surprised at the point where we realized, that our brand new 3850 did not support HSRP. This feature was introduced in a second version of the IOS - XE. Currently, we run 03.06.00.E on our WS-C3850-24 t and this version support HSRP.

  I don't understand absolutely, why Cisco released such a combo of software/switch isn't over.

  So, please try a newer version of the software.

  See you soon

  Ichnafi

  Supplement: Cisco Feature Navigator (http://tools.cisco.com/ITDIT/CFN/jsp/by-feature-technology.jsp) said: HSRP is supported since Version 3.3.0

• 2 one-Site VPN Cisco 2801 and with crossing NAT

  Hi guys,.

  I would like to configure two Cisco 2801 using IPSEC/IKE. Both routers are connected to the internet through DSL lines. The DSL line have RFC1918 address side LAN where routers connected to the internet face. I can do NAT on DSL modems.

  Cisco IOS 2801 routers allow to configure site-2-site VPN with NAT crossing?

  Here is a model of physics/IP configuration:

  LAN<->2801 Modem DSL<-Internet->DSL modem<-Priv ip-=""> 2801<-Priv ip-=""><-> LAN

  Thank you

  Gonçalo

  Yes, you're good to go only if one or both of the sites has an IP address which is natted with private IP address statically. The implementation of IPSec on SRI NAT support in most crosses so that shouldn't be a concern

• Cisco IOS - failed login Admin

  Hello

  I configured Cisco IOS to authenticate via a server RADIUS (Cisco's ISE). By mistakely I put all authentication via RADIUS only.

  Now, I can not connect via RADIUS but unable to connect through credetials local Admin of Cisco IOS and for this reason I am not able to access the privileged commands.

  Is there a way back so this connection by admin (SMAP) would be possible and not on the SHELF?

  I do not have access to 'configure', 'enable the RADIUS user commands '.

  That worked before? BTW, what code IOS are you running?

  What error you see on the IOS command line interface when ISE is DOWN and you're trying to connect with the local user account?

  Do you have local authentication as a method of failover? You have paper before IOS config you locked?

  You can check that the ISE live authentication records if the user is authenticated by the radius server. Can you use the RADIUS credentials, go to LSE > operations > authentication > records messages.

  Did you write the changes? If this is not the case, the last resort would be to RELOAD.

  ~ BR
  Jatin kone

  * Does the rate of useful messages *.

• Admin Auth LMS with ACS 5.3

  Hey people, I need to integrate LMS4 with ACS 5.x for LMS user auth. 2 roles are necessary, Admin and monitor. Y at - it all Documentation, example Configuration, or other useful information? Any help welcome.

  Best regards, Michael

  Hi Michael,

  Perhaps these threads will give you enough details:

  https://supportforums.Cisco.com/message/3484567

  Best regards

  André

• Authentication EAP - TLS with ACS 5.2

  Hi all

  I have question on EAP - TLS with ACS 5.2.

  If I want to implement the EAP - TLS with Microsoft CA, how authentication computer and user will be held?

  Understand that the cert is required on the client and the server end, but is this certificate to the computer links or links to individual users?

  If the links to the user, and I have a shared PC connection by few users, is that each user account will have their own certificates?

  And each individual user will have to manually get the CA cert? is there another method that my environment has more than 3000 PCs.

  And also if it binds to the user, any user can get their CA cert with their AD username and password, if they bring in their own device and try to get the CA certificate, they will be able to properly install the cert in their device on the right?

  I hope you guys can help with that. Thank you.

  Hope this will answer most of your questions:

  Client certificate or user

  http://www.Cisco.com/en/us/Partner/Tech/tk59/technologies_tech_note09186a00804b976b.shtml#T10

  Computer certificate

  http://www.Cisco.com/en/us/Partner/Tech/tk59/technologies_tech_note09186a00804b976b.shtml#T15

  In the case of EAP - TLS we have the certificate of computer and user installed on the machines.

  Kind regards

  Jousset

  The rate of useful messages-