Encryption AAA
Hello
Wisht just ask what the default encryption used by ASA during the exchange of name of user and password with a radius (Windows Server) server. And is it possible to change the encryption (3des, aes-128)?
Thank you.
RADIUS as a protocol uses a MD5 mechanism based 'hide' to encrypt password attributes. It's a well known problem with this communication.
To ensure that the traffic is encrypted, I think that the best thing to do is to establish an IPSec tunnel between the server and the authentication devices.
I hope it helps.
PK
.
Tags: Cisco Security
Similar Questions
-
Cisco Cisco IPSEC VPN to encrypt but not decrypt
Hello
I have a vpn ipsec problem.
packets are encapsulated and décapsulés but only in one direction. I don't understand why.
VPN is already mounted on another router, I want to change the router but can't get the vpn have the new router
Thank you for helping me
PS: Sorry for my English
Hello
I looked at the configuration of your router RT-897VA once again, and I don't know if static NAT statements in there are supposed to work or not, but they won't because you have not specified any inside and outside interfaces. Configuration changes below correspond to the configuration of your router RT, check if their implementation makes a difference (the changes are indicated in bold):
RT-897VA #show run
Building configuration...Current configuration: 3933 bytes
!
! 11:56:34 configuration was last modified THIS Friday, November 4, 2016
!
version 15.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
RT-897VA host name
!
boot-start-marker
boot-end-marker
!
!
!
No aaa new-model
clock timezone THIS 1 0
!
!
!
!
!
!
!
!
!
!!
!
!
!
domain IP XXXXX
IP-name 194.2.0.20 Server
IP-name 194.2.0.50 server
IP cef
No ipv6 cef
!
!
!
!
!
Authenticated MultiLink bundle-name Panel
VPDN enable
!
VPDN-Group 1
! Default L2TP VPDN group
accept-dialin
L2tp Protocol
virtual-model 1
tunnel L2TP non-session timeout 15
!
!
default value for the field
!
!
!
!
!
!
!
CTS verbose logging
license udi pid C897VA-K9 sn FCZ2030DL
!
!
username password privilege 15 itef 0...
!
!
!
!
!
VDSL controller 0
!
property intellectual ssh rsa keypair-name XXX
property intellectual ssh version 2
!
!
crypto ISAKMP policy 1
BA aes
preshared authentication
Group 2
!
crypto ISAKMP policy 2
BA aes
preshared authentication
Group 2
ISAKMP crypto key cleidentique address IP-WAN-B
!
!
Crypto ipsec transform-set aes - esp esp-sha-hmac toto
tunnel mode
!
!
!
crypto map ipsec-isakmp TUNNEL 1
counterpart Set IP-WAN-B
Set transform-set toto
match address TUNNEL-DATA
crypto map ipsec-isakmp TUNNEL 2
counterpart Set IP-WAN-B
Set transform-set toto
match TUNNEL-TOIP address
!
!
!
!
!
!
ATM0 interface
no ip address
Shutdown
No atm ilmi-keepalive
!
interface BRI0
no ip address
encapsulation hdlc
Shutdown
Multidrop ISDN endpoint
!
interface Ethernet0
no ip address
Shutdown
!
interface GigabitEthernet0
Description BOX-SWITCH
switchport trunk vlan 101 native
switchport mode trunk
no ip address
spanning tree portfast
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
WAN description
IP address IP WAN - A 255.255.255.240
IP virtual-reassembly in
NAT outside IP
automatic duplex
automatic speed
card crypto TUNNEL
!
interface Vlan1
no ip address
!
interface Vlan101
VLAN-DATA description
IP 192.168.101.251 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
interface Vlan111
VLAN-TOIP description
IP 192.168.111.251 255.255.255.0
IP virtual-reassembly in
!
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
IP nat inside source static tcp IP 25 expandable 25 192.168.101.2
IP nat inside source static tcp IP 80 80 extensible 192.168.101.2
IP nat inside source static tcp 192.168.101.2 extensible IP 443 443
IP nat inside source static tcp 192.168.101.31 3201 IP extensible 3201
IP nat inside source static tcp 192.168.101.31 80 extensible IP 3280
IP nat inside source static tcp IP 443 33443 extensible 192.168.101.11
overload of IP nat inside source list NAT interface GigabitEthernet8
IP route 0.0.0.0 0.0.0.0 XXXX (ADSL router)
IP route 192.168.100.0 255.255.255.0 IP-WAN-BNAT extended IP access list
deny ip 192.168.101.0 0.0.0.255 192.168.100.0 0.0.0.255
IP 192.168.101.0 allow 0.0.0.255 any
access list IP-TUNNEL-DATA extents
IP 192.168.101.0 allow 0.0.0.255 192.168.100.0 0.0.0.255
TUNNEL-TOIP extended IP access list
IP 192.168.110.0 allow 0.0.0.255 192.168.111.0 0.0.0.255
!
access list IP-TUNNEL-DATA extents
IP 192.168.101.0 allow 0.0.0.255 192.168.100.0 0.0.0.255
permit tcp host 192.168.101.3 192.168.0.0 0.0.0.255 established
TUNNEL-TOIP extended IP access list
IP 192.168.111.0 allow 0.0.0.255 192.168.110.0 0.0.0.255
!
!
!
control plan
!
!
MGCP behavior considered range tgcp only
MGCP comedia-role behavior no
disable the behavior MGCP comedia-check-media-src
disable the behavior of MGCP comedia-sdp-force
!
profile MGCP default
!
!
!
!
!
!
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
privilege level 15
password...
opening of session
transport input telnet ssh
line vty 5 15
privilege level 15
password...
opening of session
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
!
!
end -
lockout on the router (aaa new-model)
So here I am again... Need help. I can now connect to my router which is authenticated through acs distance, my problem is when I run the command 'turn off' in the privilege level, because when I try to put on the privilege mode it asked me password I try all the passwords, but I rejected so I'm locked out see attachment so that you understand what I mean... Thanks in advance
and here is my router config:
!
version 12.4
!
encryption password service
!
hostname R1
!
AAA new-model
!
!
Group AAA authentication login fCONSOLE RADIUS
the AAA authentication enable default group RADIUS
authorization AAA console
AAA authorization config-commands
Group AAA authorization exec fCONSOLE RADIUS
!
AAA - the id of the joint session
!
!
username mark password privilege 15 7 110418171C
username 050A081B29434010 password 7 anthony
!
!
!
!
!
!
interface Loopback1
IP 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
IP 192.168.5.1 255.255.255.248
automatic duplex
automatic speed
!
interface FastEthernet0/1
IP 10.10.10.1 255.255.255.252
automatic duplex
automatic speed
!
Router eigrp 100
1.1.1.1 to network 0.0.0.0
Network 10.10.10.0 0.0.0.3
network 192.168.5.0 0.0.0.7
No Auto-resume
!
radius of the source interface FastEthernet0/1 IP
!
!
RADIUS-server host 172.16.178.3 auth-port 1645 acct-port 1646 borders 7 0519570C285F4D06
!
control plan
!
!
Line con 0
exec-timeout 0 0
authority fCONSOLE exec
Synchronous recording
fCONSOLE authentication login
line to 0
line vty 0 4
transport telnet entry
Oh... Great to hear that your problem resolved... Google is always of God the father!
By
Knockaert
-
How this command works "activate the aaa group by default RADIUS authentication? I served my Radius Cisco Secure ACS 4.2 server but I can not connect... Y does it have someone here can give me a understanding on this command? Need this for my CCNA security exam... Help, please...
Additional information:
IETF Radius attributes: NAS calls
Here is my config on R1:
!
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$e.TZ$EXkOaZ0rkd/GBGLA/8GrD/
!
AAA new-model
!
!
the AAA authentication enable default group RADIUS
!
!
AAA - the id of the joint session
!
!
resources policy
!
memory iomem size 5
IP cef
!
!
!
!
no ip domain search
IP domain name aida.com
property intellectual ssh version 2
!
!
username mark password privilege 15 7 110418171C
username 050A081B29434010 password 7 anthony
!
interface Loopback1
IP 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
IP 192.168.5.1 255.255.255.248
automatic duplex
automatic speed
!
interface FastEthernet0/1
IP 10.10.10.1 255.255.255.252
automatic duplex
automatic speed
!
Router eigrp 100
1.1.1.1 to network 0.0.0.0
Network 10.10.10.0 0.0.0.3
network 192.168.5.0 0.0.0.7
No Auto-resume
!
!
!
no ip address of the http server
no ip http secure server
!
!
RADIUS-server host 172.16.178.3 auth-port 1645 acct-port 1646 borders 7 xxxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
!
control plan
!
!
Line con 0
exec-timeout 0 0
Synchronous recording
line to 0
line vty 0 4
local connection
entry ssh transport
!
!
end
Hi Bro
The command 'aaa activate by default group radius authentication' means your enable password, you want the router to make reference to the ACS server and obtain the credentials.
Another example, the command 'aaa radius of group by default authentication enable enable' means your enable password, you want the router to make reference to the ACS server and obtain the credentials. In case your ACS is down, you want the router to see the local enable password and get the credentials.
I saw what you are trying to achieve and you can do this on the SHELF as well, but I personally prefer GANYMEDE + where possible.
!
AAA new-model
!
AAA authentication login default local radius group
AAA authentication enable default group enable RADIUS
AAA authorization exec default local
!
RADIUS-server host 10.0.0.100 auth-port 1645 acct-port 1646 cisco123 keys
Note: $enab15$, this is because you do not have configured aaa authorization orders. You can add a fictitious user name $enab15$ in your ACS or you could paste the following commands below into your router.
username admin privilege 15 password 0 cisco123
operator privilege 7 password cisco123 0 username
P/S: Please rate this comment, if you find this feedback useful :-)
-
AAA authentication as user name failed
I recently tried to install an ios CiscoWLC 4402 7.0.235.0 with RADIUS on Win Serv 2008r2, I implemented my type of wpa2-ent aes, Microsoft PEAP encryption security and exported a certificate from my CA server and installed on my client machine.
I don't know what I'm missing, let me know what information should still help you. I have attached a few screenshots.
0 My Jul 22 10:25:58 2013 Does not include client: MACAddress:8 c: 70:5 has: d2:f6:f8 Base Radio MAC: 00:1e:79:d6:25:e0 Slot: 0 username: unknown Ip address: reason: 802.1 x authentication has failed 3 times. Used: 4 1 My Jul 22 10:25:58 2013 Authentication failure AAA for UserName:host/106LPT073.itserve.com the user Type: USER WLAN 2 My Jul 22 10:25:54 2013 Authentication failure AAA for UserName:host/106LPT073.itserve.com the user Type: USER WLAN 3 My Jul 22 10:25:49 2013 Authentication failure AAA for UserName:host/106LPT073.itserve.com the user Type: USER WLAN The issue seems to be with certificate server-side. Based on your first post, I realize you are using a third-party certificate. Is it possible that we will issue a new certificate and try again. Or please, export the certificate and attach it in your next reply.
Conditions of certificates for PEAP and EAP
http://TechNet.Microsoft.com/en-us/library/a1ac8d7e-3479-46B4-932b-ab43362e021b
By default, these logs are located in the %windir%\System32\Logfiles
http://TechNet.Microsoft.com/en-us/library/dd197464%28V=WS.10%29.aspx
~ BR
Jatin kone* Does the rate of useful messages *.
-
No encrypted local password in config?
I hope this is the right section to ask this question, I'll put up a new router 2811 (move from a 2611). We have local usernames on 2611 of authentication ssh connections and PPTP sessions. Associated with user names passwords are encrypted when viewing with a sh run or in a configuration copied to tftp, but on the new the psswds router. view as plain text. Is - because I have not yet put aaa in place as it is on the old router? is there a better way to do it on the new router (do not authenticate locally, to a second box)?
Hello
Tell him,
encryption password service
in Terminal Server configuration.
This should encrypt the password of the account, so that his is not visible.
Kind regards
Prem
-
AAA server group does not work
All,
I have an aaa server group set up on my router to use for Wells, AAA, but it doesn't work that way, but when I simply specify a server and not the list of group everything works. Any ideas why this is. I'm going to pos the config.
*****************************************************
version 12.2
horodateurs service debug datetime localtime
Log service timestamps datetime localtime
encryption password service
!
host BUSINESS name
!
AAA new-model
AAA server Ganymede group + TACSLOG
Server 192.x.x.x
Server 192.x.x.x
!
Group AAA authentication login default local TACSLOG
default AAA authorization exec TACSLOG local group
AAA exec by default start-stop accounting TACSLOG group
AAA commands 5 default start-stop accounting TACSLOG group
AAA commands 15 arrhythmic default accounting TACSLOG group
activate the password xxx
!
username password xxx xxx
username privilege 15 xxx
username xxx autocommand menu ADMIN1
IP subnet zero
!
!
IP - SBA.GOV domain name
!
!
call the rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
IP address 255.255.255.0 192.x.x.x
automatic duplex
automatic speed
!
interface Serial0/0
no ip address
Shutdown
!
IP classless
no ip address of the http server
!
!
ADMIN1 menu prompt ^ CSELECT YEAR OPTION PUNK ^ C
ADMIN1 1 SHO IP INTERFACE BRIEF text menu
by menu ADMIN1 1 SHOW IP INTERFACE BRIEF command
menu text ADMIN1 2 SHOW the INTERFACE FA0/0
order by menu ADMIN1 2 SHO INT FA0/0
menu text ADMIN1 3 SHOW RUN the INTERFACE FA0/0
order by menu ADMIN1 3 SHOW RUN INT FA0/0
menu ADMIN1 text 4 see THE ARP
4 ARP see by ADMIN1 menu command
ADMIN1 5 OUTPUT text menu
order by ADMIN1 5 LOGOUT menu
!
Dial-peer cor custom
!
!
!
!
privilege exec level 5 show ip interface brief
privilege exec level 5 show interface fa0/0
privilege exec level 5 show show passage interface fa0/0
show privileges exec level 5 show arp
!
Line con 0
line to 0
line vty 0 4
password xxx
!
end
When you define an AAA server group, you associate an IP address from the server on behalf of the group. You must always define the AAA server separately where you also set up the key that is used. In your case, you must add to your configuration:
RADIUS-server host 192.x.x.x Council key
RADIUS-server host 192.x.x.x Council key
HTH
Steve
-
AAA w/RSA: "any type of permission...". »
I've set up a router and a switch to AAA using a server RADIUS of RSA. Both are RSA 'Agent hosts' with identical configurations. Router (2621XM/EntServ Version 12.4 (18)) and switch (3560-24PS/IPBase - 12.2 (25) SEB2) have identical configs AAA, and RADIUS/RSA is very well regarding the access code will be accepted. But the switch won't let me:
**********************
User name:
Password:
PASSWORD accepted
% Failed authorization.
**************************
When I do "deb radius authentication" on each, the outputs are the same until the last 2 lines. The router that works says:
000055.: Jan 16 12:22:51 CEST: RADIUS (00000005): receipt of id 1645/3
000056:. Jan 16 12:22:51 IS: RADIUS/DECODE: fragments of response Message, 19, total 19 bytes
But the switch says:
000284: Jan 16 12:20:47 UTC: RADIUS: saved the authorization for user 3030220 to 3034440 data
000285: Jan 16 12:20:47 UTC: RADIUS: no type of permission for the user.
The only other difference I can think of is that I use ssh for router and switch telent (IPBase apparently no habla "crypto", I could use another IOS I think.)
Any clue? TIA
Paul
If I were you, I would like to 'disable' permission
on the catalyst 3560. I n an identical
Setup like yours on mine Catalyst 2960 and it
works very well. See below:
[[email protected] / * / root] # telnet 192.168.0.5
192.168.0.5 by train...
Connected to 192.168.0.5 (192.168.0.5).
[Escape character is ' ^]'.
C
*****************
User access audit
Username: test4
Password:
Enter your new PIN, containing 4-8 digit.
or
to cancel the procedure of the new PIN:
Please re - enter new PIN code:
Wait for the code on your card to change, and then sign in with the new PIN code
Enter the PASSWORD:
C2960 #sh worm
Cisco IOS software, software C2960 (C2960-LANBASEK9-M), Version 12.2 (25) SEE4, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Updated Tuesday 16 July 07 02:53 by myl
Image text-base: 0 x 00003000, database: 0x00CC0000
ROM: Bootstrap program is C2960 boot loader
BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) 12.2 (25r) the SEE1, release SOFTWARE (fc1)
C2960 uptime is 2 weeks, 6 days, 14 hours, 10 minutes
System to regain the power ROM
System restarted at 23:20:30 GMT Wednesday, December 26, 2007
System image file is "flash: c2960-lanbasek9 - mz.122 - 25.SEE4.bin".
This product contains cryptographic features and is under the United States
States and local laws governing the import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third party approval to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. laws and local countries. By using this product you
agree to comply with the regulations and laws in force. If you are unable
to satisfy the United States and local laws, return the product.
A summary of U.S. laws governing Cisco cryptographic products to:
http://www.Cisco.com/WWL/export/crypto/tool/stqrg.html
If you need assistance please contact us by mail at
processor of WS-C2960G-24TC-L (PowerPC405) Cisco (revision B0) with 61440K / 4088K bytes of memory.
Card processor ID FOC1036X0F1
Last reset of tension
2 virtual Ethernet interfaces
24 gigabit Ethernet interfaces
Password recovery mechanism is activated.
64K bytes of memory simulated by flash not volatile configuration.
Basic Ethernet MAC address: 00:19:55:1 B: D6:00
Number of the motherboard: 73-10015-05
Power supply part number: 341-0098-02
Motherboard serial number: FOC10352NF2
Power supply serial number: AZS103402ZF
Revision number of the model: B0
Motherboard revision number: B0
Model number: WS-C2960G-24TC-L
System serial number: FOC1036X0F1
Top Assembly part number: 800-26673-02
Top of page revision number of the Assembly: C0
Version ID: V02
CLEI Code number: COM3G00BRA
Revision number of hardware consulting: 0x01
SW Version SW Image model switch ports
------ ----- ----- ---------- ----------
* 1 WS-C2960G-24TC-L 12.2 24 (25) SEE4 C2960-LANBASEK9-M
Configuration register is 0xF
C2960 #sh run | AAA Inc.
AAA new-model
AAA RADIUS local group authentication connection test
AAA authentication login test1 group Ganymede + local
AAA authentication login notac local
Group AAA dot1x default authentication RADIUS
AAA - the id of the joint session
C2960 #.
CCIE Security
-
AAA Ganymede + with backup local auth
Hello
I try to get my switches/routers/etc to aaa allows you to restrict access to the configuration of the devices on my network. I have the aaa authentication to GBA v3.3 now, but for some reason any my local user no longer works. I would like to have the possibility of a connection to access local, just in case my ACS becomes unavailable.
My config on a 2950 is...
version 12.1
Service nagle
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug uptime
Log service timestamps uptime
encryption password service
!
AAA new-model
connection authentication AAA SMOC-access group Ganymede + local select none
AAA authorization exec SMOC-access group Ganymede + local
AAA SMOC-access authorization network group Ganymede + local
AAA accounting exec SMOC-access arrhythmic group Ganymede +.
AAA accounting network SMOC-access group arrhythmic Ganymede +.
Select the secret xxx
activate the password xxx
!
username admin privilege 15 secret xxx
RADIUS-server host 172.20.2.25 key xxx
RADIUS-server key xxx
radius-server administration
line vty 0 4
exec-timeout 15 0
password xxx
exec SMOC-access permission
exec accounting SMOC-access
Synchronous recording
SMOC-access connection authentication
length 48
line vty 5 15
password xxx
!
The only time wherever the local user will work is when your RADIUS server is not available. You can test by putting in the wrong key of Ganymede and establishing a new seeiosn. Be sure to keep the original session open just in case :-)
HTH and rate please.
-
How to set up a connection to local access, but with the MD5 encrypted password
Hello
I can set up an unencrypted password, but how do you create an encrypted?
Thank you
JeffHi Jeff,
Use "secret" instead of "password". By example, instead of using something like 'example password Cisco username', use 'secret example Cisco username. In this way, your secret is hashed with MD5.
You can also consider using an external AAA server for authentication.
-
NPS Windows Help for authentication of aaa for Cisco router - is it safe?
I am very confused about how all this works and was hoping someone could help me.
I followed a bunch of tutorials online for authentication RADIUS of installation on a Cisco router and he did to a NPS Windows Server. Now I can ssh into the router my AD account.
Now that I got it to work, I go to the settings to make sure everything is secure.
On my router, the config is pretty simple:
aaa new-modelaaa group server radius WINDOWS_NPSserver-private 123.123.123.123 auth-port 1812 acct-port 1813 key mykeyaaa authentication login default local group WINDOWS_NPS ip domain-name MyDomcrypto key generate rsa (under vty and console)# login authentication default
- I created a new RADIUS client for the router.
- Created a secret shared and specified Cisco as the name of the seller.
- Created a new strategy of network with my desired conditions.
- And now the frame of the configuration of the network policy that worries me:
So initially I thought my AD credentials were being sent over the wire in plain text, but I did a capture and saw this:
How is my password being encrypted and how strong is the encryption? Another thing is how can I configure aaa authentication with mschapv2? The documentation I saw for mschapv2 uses the "ppp authentication ms-chap-v2" command, but I'm not using ppp I'm using aaa with a radius server.
Hello
RADIUS encrypts the password, but sends the username in clear. GANYMEDE encrypts the user name and password.
You can find the encryption used by RADIUS in the RFC scheme:
https://Tools.ietf.org/html/rfc2865#page-27
MS-Chap-V2 is used for the authentication of users such as the remote access and vpn, not management switch
Thank you
John
-
No aaa new-model in the config
Hi all.
First Cisco router and first post so please be gentle.
I did a search on it and I get the same as in the post that see the deliverance
Router (config) aaa new-model #no
IOS 12.4 (24)
I erased the router and when I got it.
I had configuration, a little as I wanted as a reference point.
I saved.
I then started to work on the wireless part of the walk through is because:
Router (config) #aaa new-model
Router (config) #.
So, I went back and tried to erase this line in the config file.
Yes, I did:
Router (config) aaa new-model #no
Router (config) #exit
router #wr
See the router # running
I continue to see the no aaa new-model line in the config.
So I erased the whole thing to help:
router #write clear
and
router #reload
said no to save and then default to the last question.
All recharged and it seemed to be back as before, but then exits show run this OK not how long I erase and reload:
Router > en
Router #show run
Building configuration...Current configuration: 1331 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
router host name
!
boot-start-marker
boot-end-marker
!
forest-meter operation of syslog messages
!
No aaa new-model
!
!
dot11 syslog
IP source-route
!
!
!
!
IP cef
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
!
!
Archives
The config log
hidekeys
!
!
!
!
!
interface Dot11Radio0
no ip address
Shutdown
base speed - 1.0 2.0 basic basic-5, 5 6.0 9.0 basic-11, 0 12.0 18.0 24.0 36.0 48.0 54.0
root of station-role
!
interface Dot11Radio1
no ip address
Shutdown
Speed - Basic6.0 9.0 basic - 12.0 18.0 basic-24, 0-36.0 48.0 54.0
-More-
* 23:40:09.207 Jan 16: % LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, modified root of station-s role
!
interface FastEthernet0
no ip address
Shutdown
automatic duplex
automatic speed
!
interface FastEthernet1
no ip address
Shutdown
automatic duplex
automatic speed
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
FastEthernet6 interface
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
no ip address
!
interface Async1
no ip address
encapsulation sheet
!
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
!
!
!
!
!
!
!
control plan
!
!
Line con 0
line 1
Modem InOut
StopBits 1
Speed 115200
FlowControl hardware
line to 0
line vty 0 4
opening of session
!
endIs there a way to remove that line from the config, or it is stuck and if stuck is there any effect of him?
Thank you very much
Maurice
Hello Maurice.
Just to confirm: you want the 'no aaa new-model' command to be removed from your config? If so, this is the default when AAA is disabled on the device. If you want to enable AAA, then just run the same command without the 'no '.
aaa new-model
Then save your config:
write mem
For more information about this and other controls, you can reference 'Command search tool' Cisco
https://Tools.Cisco.com/support/CLILookup/cltSearchAction.do
I hope this helps!
Thank you for evaluating useful messages!
-
I am AAA configuration. I'm setting up a router so that when users access using the vty line, they must be authenticated by Active Directory. I configured AAA on the router and on Microsoft Windows Server 2003 IAS. But when I type 'test group aaa AUTH administrator legacy xxxxxxx' it gives the following error
Test of authentication attempting AUTH server group using RADIUS
* 01:01:04.991 Mar 1: AAA: analyze IDB name =
type =-1 ATS = - 1 * 01:01:04.991 Mar 1: AAA/MEMORY: create_user (0x6417FF80) = user tweak "Administrator" = "NULL" ds0 = 0 port = "rem_addr = 'NULL' = ASCII service CONNECTION priv = authen_type = 1 initial_task_id = '0', vrf = (id = 0) no answer authoritative of any server.
RTR #.
* 01:01:23.647 Mar 1: RADIUS-4-RADIUS_DEAD %: 172.16.1.243:1812, 1813 RADIUS server does not respond.
* 01:01:23.655 Mar 1: AAA/MEMORY: free_user (0x6417FF80) = user tweak "Administrator" = "NULL" port = "rem_addr = 'NULL' = ASCII service CONNECTION priv = authen_type = 1 vrf = (id = 0)
* 01:01:23.655 Mar 1: RADIUS-4-RADIUS_ALIVE %: 172.16.1.243:1812, 1813 RADIUS server is marked in life.
I also used the default ports for authentication, but still no use. I am able to ping router radius server and can ping router of the radius server.
The Radius in VMWARE Server installed on and the router is emulated in Dynampis.
Here is the configuration of the router
RTR #sh run
Building configuration...
Current configuration: 863 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname RTR
!
boot-start-marker
boot-end-marker
!
!
AAA new-model
!
!
RADIUS AAA server AUTH group
ACCT-port of the server 172.16.1.243 auth-port 1812 1813
!
RADIUS authentication AUTH of AAA connection group.
!
AAA - the id of the joint session
memory iomem size 5
!
!
IP cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback1
no ip address
!
interface FastEthernet0/0
IP 172.16.1.241 255.255.255.0
automatic duplex
automatic speed
!
IP http server
no ip http secure server
IP route 0.0.0.0 0.0.0.0 172.16.1.1
!
!
!
radius of the IP source interface FastEthernet0/0
!
!
RADIUS-server host 172.16.1.243 auth-port 1812 acct-port 1813 key xxxxx
!
control plan
!
!
!
!
!
!
!
!
!
!
Line con 0
line to 0
line vty 0 4
authentication of connection AUTH
!
!
end
Do you see any hits on the 2003 event logs? If no request is not the RADIUS.
Do not forget that dynampis some time shows abnormal behavior. Since you are able to ping, then connectivity seems to be just fine here.
Check the shared secret key and make sure that the radius ports are open, check to see if there is a firewall between the two.
Kind regards
~ JG
-
Hi all
I had configured Ganymede on ASA, but the problem is when I m try to Telnet it authenticates me with my username & password on ACS, but I can't pass the privilege level 15 such that configured on ACS. Its asking me to activate password n not taking password is the GBA. I used the authorization of Shell for privilege 15. Done on ASA configuration is:
name 172.30.xx.xx DCC-1
name 172.30.yy.yy DCC-2
Ganymede + Protocol Ganymede + AAA-server
AAA-server Ganymede + host DCC-1
Cisco key
AAA-server Ganymede + host DCC-2
Cisco key
AAA authentication telnet console Ganymede + LOCAL
AAA authentication telnet console Ganymede + Ganymede +.
the AAA authentication console ssh Ganymede + LOCAL
AAA authentication enable console LOCAL + Ganymede
activate the encrypted password of V3VzjwYzTRfTLwOb
activate the encrypted password of V3VzjwYzTRfTLwOb
piyush vkCzRtKCaNG.HI6s encrypted privilege 15 password username
ideanoc encrypted S0qrUlXOHFcX7LCw privilege 15 password username
Even added my user name & password in the local data base on ASA as on ACS. Still no progress...
Can all give his suggestion on the same.
Kind regards
Piyush
I ask not for the level of private shell 15 but enable privileges. Which must be set to 15 GBA---> user configured---> options enable---> Max privilege for any customer AAA--> 15
-
PIX 501 &; VPN Client unable to ping or encrypt traffic?
I'm new and I work on my CCNA. I have a Setup pix behind a dsl with NAT router that I can not turn off. I create a pin hole for IPSec traffic to port 500 to my pix off if. I can connect correctly the Client VPN software. I think I establish an IKE and IPSec tunnel very well. I used the wizard to configure the VPN. I have a pool dhcp which issues an IP address correctly, and user group with set password. There is no site-to-site VPN, the network is a network of peers without any DNS or WINS server on the local network. I'm lost, frustrated and tired of 45 minutes of driving on this site whenever I want to try to set up a new configuration. It is essentially a off the pix of the box. There not here all configurations at all really. Here is my config.
6.3 (1) version PIX
interface ethernet0 car
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the password * encrypted
passwd * encrypted
hostname pix
domain ciscopix.com
clock timezone CST - 6
clock to summer time recurring CDT
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
names of
inside_outbound_nat0_acl ip access list allow any 10.10.10.0 255.255.255.240
outside_cryptomap_dyn_20 ip access list allow any 10.10.10.0 255.255.255.240
pager lines 24
Outside 1500 MTU
Within 1500 MTU
IP address outside dhcp setroute
IP address inside 192.168.1.1 255.255.255.0
alarm action IP verification of information
reset the IP audit attack alarm drop action
IP local pool pool1 10.10.10.1 - 10.10.10.10
location of PDM 192.168.12.0 255.255.255.240 outside
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Dynamic crypto map outside_dyn_map 20 match address outside_cryptomap_dyn_20
Crypto-map dynamic outside_dyn_map 20 the transform-set ESP-3DES-MD5 value
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
ISAKMP allows outside
part of pre authentication ISAKMP policy 20
ISAKMP policy 20 3des encryption
ISAKMP policy 20 md5 hash
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
vpngroup address pool1 pool test
vpngroup test 1800 idle time
test vpngroup password *.
Telnet timeout 5
SSH timeout 5
Console timeout 15
VPDN allow outside
dhcpd address 192.168.1.2 - 192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd outside auto_config
dhcpd allow inside
Terminal width 80
exec banner prohibited unauthorized access
connection of the banner prohibited unauthorized access
Banner motd prohibits unauthorized access
Cryptochecksum:xxx
: end
Thank you...
Hi gkotlin
mark the request as a problem solved, so that its not seen by others. The rate of the position, if deemed useful... Thank you
Maybe you are looking for
-
My Tecra S1 will not realize any record using either the built in or external microphone. I removed and reloaded the SoundMAX drivers. I tried all the settings of "Sound and Audio Devices Properties" does not. When I click on the "Test equipment" on
-
HP Officejet 6500 Paper Out status on the computer but the paper loaded and test page prints
We have a HP 6500 CB815A, which works well for almost a year. As of today, we get "Paper Out" status on the computer, but there is paper loaded in the tray... the same high quality paper as we always use. The test printer utility reports the same sta
-
Hello I try to control the placement of a chart legend in Excel from Labview using ActiveX. The lines of VBA I must perform in Labview are as follows: ActiveChart.Legend.Select Selection.Position = xlBottom The problem I have is that I can't find a r
-
(File:TrayApp.Cab) not found source file
Hellowhenever I start my laptop window vista family premium 64-bit, it stalls showing the error message I posted on the title of this Question. I always have to keep cancelling several screens repeat until I can use the software that I want.Can anyo
-
HelloI use Siebel 8.2.2 and OPA 10.4.4 connector on a Weblogic application.The most important fact, I use the server of determination.The war of determination server has been configured and deployed, the connector is woking.I have woud like to get se