Configuration of AAA
Hi all
I have configured aaa on my switch cisco with the following commands.
and I was told that I used a few unnecessary commands that aren't needed.
What would be the effect of suppressing the red lines?
any help will be much appreciated.
AAA new-model
AAA authentication login default local radius group
connection of AAA VTY group local RADIUS authentication
ssh group RADIUS AAA authentication login
AAA authentication ppp default if necessary to group local RADIUS
AAA authorization exec default local radius group
AAA authorization exec VTY group local RADIUS
start-stop radius group AAA accounting exec by default
Line con 0
password test
line vty 0 4
access-class 1
exec authorization VTY
transport input telnet ssh
line vty 5 15
access-class 1
exec authorization VTY
transport input telnet ssh
Thank you very much.
It would create any problems with the connection because you already "aaa authentication login default group local RADIUS" which actually applies to all lines. That you have highlighted are nothing else than just method-list you can create different lines according to your need.
You may need this command, if you have some access to the configured authentication.
AAA authentication ppp default if necessary to group local RADIUS
For example, if you want to authenticate the console session ONLY with local database and by Ray vty lines, you can add the below listed config.
local authentication connection CON of AAA.
local CON AAA authorization exec
0 line console
CON connection authentication
exec authorization CON
~ BR
Jatin kone
* Does the rate of useful messages *.
Tags: Cisco Security
Similar Questions
-
Configuration of AAA to include local auth for Console connections
Recently, during a maintenance window, that my AAA configurations are not configured to use local authentication if the AAA server is unavailable. Could use a little help in making sure I have the correct configuration. Here is what I set up today:
AAA new-model
AAA authentication login default group Ganymede +.
the AAA authentication enable default group Ganymede +.
AAA authorization auth-proxy by default group Ganymede +.
orders accounting AAA 15 by default start-stop Ganymede group.RADIUS-server host x.x.x.x
RADIUS-server timeout 120
RADIUS-server application made
radius-server keyGood... If you want you will need configure a fallback option when you sign in aaa and enable authentication lines. Throw a 'local' keyword on the end of those, and that you will get what you are looking for.
I'm a little worried that the "console aaa authentication" is not appear in your configuration. It makes me think that he will not survive until the next refill.
Are you running the latest revision of your version of IOS?
-
the AAA authentication enable default group Ganymede + activate
I implement CSACS 4.0. First of all on the client, I will apply aaa authenticatio / authorization under vty. The issure if I use the followin command
the AAA authentication enable default group Ganymede + activate
What happens if I connect via the console? I need to enter a name of user and password?
Here is my configuration
AAA new-model
Group authvty of connection authentication AAA GANYMEDE + local
the AAA authentication enable default group Ganymede + activate
authvty orders 15 AAA authorization GANYMEDE + local
RADIUS-server host IP
Radius-server key
Ganymede IP source interface VLAN 3
AAA accounting send stop-record an authentication failure
AAA accounting delay start
AAA accounting exec authvty start-stop group Ganymede +.
orders accounting AAA 15 authvty power group Ganymede +.
AAA accounting connection authvty start-stop group Ganymede +.
line vty 0 15
connection of authentication authvty
authorization orders 15 authvty
authvty connection accounting
accounting orders 15 authvty
accunting exec authvty
Any suggestion will be appreciated!
It should work because it is a guest message.banner whenever you try to connect (console/vty). I set it up on my router.
If you have banner motd, it will appear as well (see below). So, I have to remove it to get only the aaa banner & prompt is displayed:
************************************************************
Username: cisco, password: cisco (priv 15f - local) *.
************************************************************
Any unauthorized use is prohibited.
Enter your name here: User1
Now enter your password:
Router #.
The configuration more or less looks like this:
AAA new-model
AAA authentication banner ^ is forbidden to use CUnauthorized. ^ C
AAA authentication password prompt "enter your password now:
AAA-guest authentication username "enter your name here:
Group AAA authentication login default RADIUS
local authentication AAA CONSOLE connection
HTH
AK
-
Hello
I want to configure authorization aaa with Ganymede + to connect to the console, but in the cisco documentation, I found the following line "" Note authorization is bypassed for authenticated users who log on by using the line of the console, even if authorization has been configured. "" "" » ??? There no way to configure the authorization to connect to the console on the right?
THX
Larry
Hi Larry,
Some additional info, maybe that's what you are experiencing.
Console port authorization has not been added as an element until the bug No. CSCdi82030 has been put in place. Console port authorization is disabled by default to reduce the likelihood of being accidentally locked on the router. If a user has physical access to the router through the console, console port authority is not very effective. However, for images which Bug ID CSCdi82030 has been implemented, console port may be lit under line con 0 with the permission of aaa hidden command console.
You can get specific information about a bug ID by using the Bug Toolkit, related tools and utilities.
Thank you
Christophe
-
Cisco ACS GANYMEDE + AAA can be activated for telnet to Cisco 600 and 700 routers?
Unfortunately you can not configure radius AAA or Ganymede in routers series 600 or 700.
-
The ISE Cisco switch configuration
Hi experts,
I got the following network:
Devices-> switch access-->--> access switch central office switch-> ISE Server
All switches are capable IOS for the 802. 1 X and configurations of AAA for ISE to manage network devices. However, I read in the guide on the configuration of the switches in preparation for the deployment of the ISE of CIsco, but I wonder what should I configure switches for access and basic switches or only configure the switches for access to EHT?
Thanks for your time to read!
If all clients are non-DHCP clients, then no configuration is based or distribution at all.
But you may need to search different options of profiling, if the customers are not active DHCP. Access switch supports the function of detection IOS? Would be very useful to have such a that it would send important profiling information at ISE. You may need to use the right options for ISE of profiling to determine the details of the endpoint.
Concerning
Vivek
-
AAA authentication and privilege-mode
I want to configure authentication aaa with accounts of local user on the switch. The idea is to come directly into the "privilege" without the enable command mode.
I have configured the following commands:
AAA new-model
AAA authentication login default local
What other commands (permission) are necessary to obtain the command of privilege?
Thank you
Pascal
Dear Sir
For the console you must issue to order more.
There is a hidden within IOS command you will need to apply: "authorization aaa console.
Who should fix it
Kind regards
~ JG
Note the useful messages
-
AAA problem in access to the switch console
Hi all
I have configured the aaa as orders below:
RADIUS-server host xxxxxx
RADIUS-server application made
RADIUS-server key xxxxxxAAA new-model
AAA new-model
AAA authentication login default local
AAA authentication login techop group Ganymede + local
the AAA authentication enable default group Ganymede + activate
AAA authorization exec default group Ganymede + local
AAA authorization commands 1 default group Ganymede + local
AAA authorization commands 15 default group Ganymede + local
AAA accounting exec default start-stop Ganymede group.
only AAA 1 default stop accounting controls group Ganymede +.
accounting AAA commands default 15 stop only Ganymede group.
AAA - the id of the joint sessionline vty 0 15
connection of authentication techopGANYMEDE works fine for ssh, but when I am trying to switch console
I am able to connect in exec mode but when go ask password enable
the switch does not take any password (either Ganymede or local credentials).
I am also able to connect via console by powers exec mode the
and not by the credentials of the RADIUS server.Temp > en
password:
% Authentication failure.Hey,.
Please share:
Debug aaa authentication
Debug aaa authorizarion
debugging Ganymede +.
Concerning
Ed
-
access to AAA server to remote problems
Hi all. I can ping and trace to this GANYMEDE server. but I can't authenticate my telnet users. I configured local AAA relief so that he tries the remote server several times and then returns to the local GANYMEDE. I noticed the logs show the TCP FINS. Which indicates that I am actually reach the remote server, but the server sends a TCP FIN or is the server simply is not available, as indicated by the newspapers. Why the server will be not not accessible if I can ping and trace it.
I also checked the NOC extranet firewall accepted my traffic through the RADIUS server. they took the newspapers showing that my traffic has been accepted.
February 4, 2011 13:04:12: % ASA-7-609001: built internal local host: AAA_SERVER
February 4, 2011 13:04:12: % ASA-6-302013: built 24726 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/28055 (17.2.2.2/28055)
February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
February 4, 2011 13:04:12: % ASA-6-302013: built 24727 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/32029 (17.2.2.2/32029)
February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24726 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/28055 duration 0: 00:00 bytes TCP fins 41
February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
February 4, 2011 13:04:12: % ASA-6-302013: built 24728 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/39039 (17.2.2.2/39039)
February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24727 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/32029 duration 0: 00:00 bytes TCP fins 41
February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
February 4, 2011 13:04:12: % ASA-6-302013: built 24729 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/33702 (17.2.2.2/33702)
February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24728 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/39039 duration 0: 00:00 bytes TCP fins 41
February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
February 4, 2011 13:04:12: % ASA-2-113022: AAA marking GANYMEDE + Server AAA_SERVER aaa-server group MYGROUP as being broken
February 4, 2011 13:04:12: % ASA-4-409023: method of rescue attempt LOCAL AAA for authentication of user vzz19 request: inaccessible Server Auth MYGROUP group
February 4, 2011 13:04:12: % ASA-6-113015: rejected AAA user authentication: reason = invalid password: local database: user = vzz19
February 4, 2011 13:04:12: % ASA-6-611102: failed authentication user: Uname: vzz19
February 4, 2011 13:04:12: % ASA-6-605004: connection refused from 10.2.2.2/26089 to inside:17.2.2.2/telnet for the user "vzz19".
February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24729 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/33702 duration 0: 00:00 bytes TCP fins 41
February 4, 2011 13:04:12: % ASA-7-609002: duration of dismantling inside local host: AAA_SERVER 0:00:00Here is my config from aaa
AAA-server protocol Ganymede MYGROUP +.
Max - a failed attempts 4
AAA-server host AAA_SERVER MYGROUP (inside)
timeout 3
Console Telnet AAA authentication LOCAL MYGROUP
Console to enable AAA authentication LOCAL MYGROUP
privilege MYGROUP 15 AAA accounting commandI can ping AND trace on the RADIUS server
ATLUSA01-FW01 # ping AAA_SERVER
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to AAA_SERVER, wait time is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = ms 02/01/10
ATLUSA01-FW01 # trace AAA_SERVERType to abort escape sequence.
The route to 151.162.239.2391 17.2.2.3 0 ms 0 ms 0 ms
2 17.2.2.4 0 ms 0 ms 0 ms - extranet fire barrier
3 10.4.7.1 0 0 0 ms ms ms
4 10.4.7.13 0 0 0 ms ms ms
5 10.4.7.193 0 0 0 ms ms ms
6 AAA_SERVER (10.5.5.5) 0 ms 10 ms 10 msYou'll certainly need the assistance of the administrator of the AAA, troubleshooting on the AAA client side shows only a fraction of what's going on.
Ask him or her to do the following:
Much easier and the most important thing is to check an 'attempt' journal and watch if there is no entry at all for your ASA.
If there is an entry, it should be automatic explaining like "Unknown SIN" or "Ganymede key bad argument" - be convinced on a good config and check it are two different things.
I have seen weird things like walking into a key on an AAA server via remote desktop and keyboard settings were inconsistent: English/German, traded resulting from letters 'Y' and 'Z' - do not trust your config until it you checked.
If there is no entry at all then it could be a device on the way which is allowing ping/traceroute tcp/49 but drops or a device is to translate the address of the ASA (well in this case, you should see an "unknown SIN" in the failed attempts).
You have the possibility to connect a device inside the network of the SAA as a laptop? If so, try Telnet for tcp/49 of the AAA server, you should see immediately, if it is allowed tcp/49 (get a blank screen immediately = connectivity, timeout = no connectivity)
That's all you can do on your side, unfortunately tha ASA isn't a telnet client.
Rgds,
MiKa
-
ACS Cisco 1113 4.2 1113 configure auth. for Infoblox Appl.
Hello
I have a problem with Cisco ACS and an Infoblox appliance. We want to authenticate users, this connection on the Infoblox, through the Cisco ACS. After that the ACS should respond with authentication (RADIUS) passed and answer with an administrative groupname that the user belongs on the Infoblox. To do this, I have to import a VSA to have the option of the CSA to respond with this groupname. On the Infoblox, these groups are already done, and it must be the group that meets the CSA.
Now I have imported the ASB and configured an AAA (infoblox) client to use the new RADIUS (VSA) to support the Infoblox. In the groupsetting, I lit the Infoblox-Group_info attribute and filled a specific groupname the authenticated user belongs. Now, here's the part where the news of group are returned, but the appliance Infoblox gives me a RADIUS error response message. As I see in the newspapers of the ACS user authentication part is fine. So there must be between the info ACS responds with, when the user connects.
I have attached the VSA and a *.pcap of wireshark to see what is happening.
Can we advice to suggest any option that can make this thing work.
With respect,
Richard Gosen
Hi Richard,
Please find attached the accountsActions to remove it, and you can use your original accountsActions to readd the ASB.
Hope that works.
-
Hi, need to provide an ACS reports that will include all orders captured on barrier-lights/switches/routers.
Installation successfully acs for these network devices, basic AAA is work, can connect has failed/past authentications, different levels of authentication has been correctly configured, but I see only the orders that were denied in reports, (have tested different user levels). How can I configure the AAA sign orders enterend e.g. network device admins?
Hi Ganesh, thanks for reply.
Unfortunately i am still unable to see executed commands in tacacs+ accounting report. I have all report fields enabled, configuration is the same as you suggested but still no luck. I setup shell command authorization set and can see if readonly users (which has rights to run only commands in readonly authorization set) trying to execute commands they are not authorize to run but cannot see all commands executed on the switch.
This is really important to have a record who and when initiated what commands on network devices.
07/16/2010,09:18:30,AAAServer,GRoup,SWITCHES,CAT3560-T,UserName,192.168.182.1,start,15,,,,,,2,(Default),,,shell,,,,,,,,,,,,,,UTC,,,,,,,,,,,,,,,,,,,,,,,,No,Login,1,6,192.168.182.20,tty1
Any other suggestions?
Hello
If your version of ACS is 4.1 GANYMEDE + accounting command no longer works. No accounting is visible in the journal of Administration GANYMEDE + (bug CSCsg97429).
Click on this link if you use ACS Solution Engine: http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-soleng-3des?psrtdcat20e2 and download:
applAcs_4.1.1.23_ACS - 4.1 - CSTacacs -CSCsg97429.zip
Hope to help!
Ganesh.H
Don't forget to note the useful message
-
Hello
I was creating a configuration of AAA on my NX - 0 (MDS9148), logged out / has attempted to connect to test the connection of the AAA, and now I can't login as administrator either time! I do not change the local account. I open the Cisco Device Manager again (in the switch fabric) and I was wondering if anyone had any idea how I fix this (AAA is not running as of yet with this switch).
Thank you in advance,
supercell29
If I remember correctly, NX - OS should fall back to the local account automatically if AAA is not available. So after you enable AAA NX - OS, you might not connect with the local account? I haven't used the Device Manager, but you can try to disable aaa it and then try again. Furthermore, the link below provides the password recovery procedure.
http://www.Cisco.com/en/us/partner/docs/switches/Datacenter/SW/password_recovery/nx_os_pw.html
-
Hello
We have async lines between 2 sites in the flow of the type SCADA information
When we applied Ganymede AAA to routers, which was no problem until the lines are reset to zero so I guess that as EXEC sets up the connection it fails as no AAA authentication.
Due to criticallity of information I got AAA offshore of routers for now, but looking for a long-term solution.
I can config lines to locally authenticate using name of user/local password or even for these partcicular lines do not authenticate. ?
Any help appreciated
I had a situation that was somehow similar to yours. Maybe the solution I found might work for your situation. I got async lines I want to authenticate to a server group that was different from what telnet/SSH authentication used. I configured the aaa authentication default to use what I wanted on asynchronous lines. In your case, it can specify a local connection to use the local ID and password, or perhaps you can specify none as the authentication method. Then I've specified a method named authentication using the other server group and named on the vty lines authentication method.
HTH
Rick
-
Activate the ASA system context AAA authentication
Hello!
We have ASA configured in multiplayer in context with 8.4 (2) software configured for AAA
Configuration is admin context as follows:
AAA-server TAC Protocol Ganymede +.
host of the TAC AAA-server 10.162.2.201 (management)
key *.
Console to enable AAA authentication LOCAL TAC
TAC LOCAL console for AAA of http authentication
AAA authentication serial console LOCAL TAC
authentication AAA ssh console LOCAL TAC
Because of the multiple context, after the connection we enter in the system context. Console port authentication works very well except access to the privileged mode when you connect through the console port.
After the show 'enable' command ASA accepts only configured activate secret in context and change ID of user system for enable_15, so we are unable to do accounting and authorization of user level control.
It seems that the ASA in the context of the system is not aware of all the configurations of AAA, and it is not a command to configure AAA in the context of the system.
Is there a way to configure enable AAA authentication in the context of the system?
Thanks in advance!
Hello
It looks like you hit this known issue that follows:
Admin context allow mode compared to the context system DB credentials Symptom:
In multi-mode configuration, the user to enter privileged mode credentials
(enable mode) via the serial console is not sent to an external server
role of authentication.Conditions:
ASA/PIX is in multi mode. serial console and activate the console authentication
are configured to use external aaa server in the context of the admin.Workaround solution:
Option 1: Configure enable password in the system context. Option 2: Avoid the use of the interface of the console series and rely on telnet
or ssh console access. SSH or telnet consoles, tries to enter
active mode is authenticated as specified by the configuration of aaa in
the context of "admin".
Other Description of the problem:When authentication is enabled for the serial console and activate console in
Executive admin via an external aaa Server (for example: radius or Ganymede +), series
Console OmniPass is against the external aaa server, but the mode
credentials are compared with enable db in the context of the system.Hope that clarifies it. Unfortunately there is no solution for this problem.
Kind regards.
-
Based on the roles of the views of CLI with AAA method
Hello
I'm configuration based on the roles of views CLI on a router to limit access to users.
My criteria:
-There should be a local user account on the router that has the view of 'service' in the annex
-If the router is online and can reach the radius server, people in the right group are assigned to the view 'service '.
My configuration:
AAA new-model
Select the secret 1234
username view service secret service 1234
!
AAA my_radius radius server group
private-server 10.1.1.1 auth-port 1645 acct-port 1646 timeout 3 retransmit 2 0 1234 key
private-server 10.1.1.2 auth-port 1645 acct-port 1646 timeout 2 relay 1 0 1234 key!
authorization AAA console
AAA authentication login my_radius local group mgmt
AAA authorization exec mgmt my_radius local group!
Line con 0
authorization exec mgmt
Synchronous recording
login authentication mgmt
line vty 0 4
authorization exec mgmt
Synchronous recording
login authentication mgmt
entry ssh transportTHE ERROR
Now, I want to go set up the cli view "service"...
# mode
Password: 1234
* 08:00:02.991 Jun 1: AAA/AUTHENTIC/SEE (0000000 D): method of picking list "mgmt".
* Jun 1 08:00:02.991: RADIUS / ENCODE (0000000D): ask "" password: ".
* Jun 1 08:00:02.991: RADIUS / ENCODE (0000000D): upload the package. GET_PASSWORD
* 08:00:21.011 Jun 1: RADIUS: receipt id 1645/13 10.1.1.1:1645, Access-Reject, len 20Questions
Why the view "enable" trying to choose a list of method when you need to provide secrecy to enable it to access the root view?
You can change this behavior to always use the key to activate it?
The TEMPORARY Solution
If you are connected to the router via telnet or SSH, the solution or workaround for this problem is:
local VIEW_CONFG AAA authentication login
!
line vty 0 4
authentication of the connection VIEW_CONFG
Make your view configuration and reconfigure the line to use the correct (desired) authentication method.
________________________________
Thanks a lot for the suggestions
/ ENTOMOLOGIST
Hello
You have configured the following:
AAA authentication login my_radius local group mgmt
AAA authorization exec mgmt my_radius local groupLine con 0
authorization exec mgmt
Synchronous recording
login authentication mgmt
line vty 0 4
authorization exec mgmt
Synchronous recording
login authentication mgmtentry ssh transport
So every time you try to connect to the console or ssh authentication will travel to the server radius because of the following command 'connection authentication mgmt '.
You can get there. What is set on the method list mgmt first will take precedence.
activate seceret is defined locally. but you have configured the following:
AAA authorization exec mgmt my_radius local group
Line con 0
authorization exec mgmtline vty 0 4
authorization exec mgmtSo exec mode is also via the radius server.
When you set up:
local VIEW_CONFG AAA authentication login
!
line vty 0 4
authentication of the connection VIEW_CONFG
You do local authentication, so it works the way you want.
In short, regardless of authentication is set 1 on the list method will take priority. the relief will be checked only if the 1st aaa server is not accessible.
I hope this helps.
Kind regards
Anisha
P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.
Maybe you are looking for
-
Drivers SATA for XP (solution on BSOD 0x0000007B)
WARNING: You use this guide at your own risk. I take no responsibility for any problem. Important information! Before anything, please create a set of recovery disks. Resources: With the help of HP Backup and Recovery Manager in Vista Creation of rec
-
I had a computer DC7800 USDT who came without a processor. I wonder if I can temporarily adapt a processor 3.00 GHz Pentium D 925. The Pentium D is not on the list with Prosessors supported in Ref. to the DC7800 technical guide. Hans
-
Sansa clip. using a pc. Windows xp. My sansa clip is a 4 GB, black. Help Sansa people told me how to change the kind of AUDIO book, but it must be a track at a time. I'm about to rip 6 audio books that are about 900 titles. He's crazy about change 90
-
When I turn on my computer an error message flashes but it's too fast to read, after which there is a strong and high slope beep. Then he'll ask me if I want to start my computer on Vista or run the memory diagnostics. When it gets to the entered pas
-
Filter 'Find' of Windows Live Mail is broken
Win7 - 64 bit When I enter a date - 01/01/2014, say - in the find > Message > "Before receipt" box, he finds that all of the messages received AFTER this date!