Encryption AAA

Hello

Wisht just ask what the default encryption used by ASA during the exchange of name of user and password with a radius (Windows Server) server. And is it possible to change the encryption (3des, aes-128)?

Thank you.

RADIUS as a protocol uses a MD5 mechanism based 'hide' to encrypt password attributes. It's a well known problem with this communication.

To ensure that the traffic is encrypted, I think that the best thing to do is to establish an IPSec tunnel between the server and the authentication devices.

I hope it helps.

Tags: Cisco Security

Similar Questions

Cisco Cisco IPSEC VPN to encrypt but not decrypt

Hello

I have a vpn ipsec problem.

packets are encapsulated and décapsulés but only in one direction. I don't understand why.

VPN is already mounted on another router, I want to change the router but can't get the vpn have the new router

Thank you for helping me

PS: Sorry for my English

Hello

I looked at the configuration of your router RT-897VA once again, and I don't know if static NAT statements in there are supposed to work or not, but they won't because you have not specified any inside and outside interfaces. Configuration changes below correspond to the configuration of your router RT, check if their implementation makes a difference (the changes are indicated in bold):

RT-897VA #show run
Building configuration...

Current configuration: 3933 bytes
!
! 11:56:34 configuration was last modified THIS Friday, November 4, 2016
!
version 15.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
RT-897VA host name
!
boot-start-marker
boot-end-marker
!
!
!
No aaa new-model
clock timezone THIS 1 0
!
!
!
!
!
!
!
!
!
!

!
!
!
!
domain IP XXXXX
IP-name 194.2.0.20 Server
IP-name 194.2.0.50 server
IP cef
No ipv6 cef
!
!
!
!
!
Authenticated MultiLink bundle-name Panel
VPDN enable
!
VPDN-Group 1
! Default L2TP VPDN group
accept-dialin
L2tp Protocol
virtual-model 1
tunnel L2TP non-session timeout 15
!
!
default value for the field
!
!
!
!
!
!
!
CTS verbose logging
license udi pid C897VA-K9 sn FCZ2030DL
!
!
username password privilege 15 itef 0...
!
!
!
!
!
VDSL controller 0
!
property intellectual ssh rsa keypair-name XXX
property intellectual ssh version 2
!
!
crypto ISAKMP policy 1
BA aes
preshared authentication
Group 2
!
crypto ISAKMP policy 2
BA aes
preshared authentication
Group 2
ISAKMP crypto key cleidentique address IP-WAN-B
!
!
Crypto ipsec transform-set aes - esp esp-sha-hmac toto
tunnel mode
!
!
!
crypto map ipsec-isakmp TUNNEL 1
counterpart Set IP-WAN-B
Set transform-set toto
match address TUNNEL-DATA
crypto map ipsec-isakmp TUNNEL 2
counterpart Set IP-WAN-B
Set transform-set toto
match TUNNEL-TOIP address
!
!
!
!
!
!
ATM0 interface
no ip address
Shutdown
No atm ilmi-keepalive
!
interface BRI0
no ip address
encapsulation hdlc
Shutdown
Multidrop ISDN endpoint
!
interface Ethernet0
no ip address
Shutdown
!
interface GigabitEthernet0
Description BOX-SWITCH
switchport trunk vlan 101 native
switchport mode trunk
no ip address
spanning tree portfast
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
WAN description
IP address IP WAN - A 255.255.255.240
IP virtual-reassembly in
NAT outside IP
automatic duplex
automatic speed
card crypto TUNNEL
!
interface Vlan1
no ip address
!
interface Vlan101
VLAN-DATA description
IP 192.168.101.251 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
interface Vlan111
VLAN-TOIP description
IP 192.168.111.251 255.255.255.0
IP virtual-reassembly in
!
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
IP nat inside source static tcp IP 25 expandable 25 192.168.101.2
IP nat inside source static tcp IP 80 80 extensible 192.168.101.2
IP nat inside source static tcp 192.168.101.2 extensible IP 443 443
IP nat inside source static tcp 192.168.101.31 3201 IP extensible 3201
IP nat inside source static tcp 192.168.101.31 80 extensible IP 3280
IP nat inside source static tcp IP 443 33443 extensible 192.168.101.11
overload of IP nat inside source list NAT interface GigabitEthernet8
IP route 0.0.0.0 0.0.0.0 XXXX (ADSL router)
IP route 192.168.100.0 255.255.255.0 IP-WAN-B

NAT extended IP access list
deny ip 192.168.101.0 0.0.0.255 192.168.100.0 0.0.0.255
IP 192.168.101.0 allow 0.0.0.255 any
access list IP-TUNNEL-DATA extents
IP 192.168.101.0 allow 0.0.0.255 192.168.100.0 0.0.0.255
TUNNEL-TOIP extended IP access list
IP 192.168.110.0 allow 0.0.0.255 192.168.111.0 0.0.0.255
!
access list IP-TUNNEL-DATA extents
IP 192.168.101.0 allow 0.0.0.255 192.168.100.0 0.0.0.255
permit tcp host 192.168.101.3 192.168.0.0 0.0.0.255 established
TUNNEL-TOIP extended IP access list
IP 192.168.111.0 allow 0.0.0.255 192.168.110.0 0.0.0.255
!
!
!
control plan
!
!
MGCP behavior considered range tgcp only
MGCP comedia-role behavior no
disable the behavior MGCP comedia-check-media-src
disable the behavior of MGCP comedia-sdp-force
!
profile MGCP default
!
!
!
!
!
!
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
privilege level 15
password...
opening of session
transport input telnet ssh
line vty 5 15
privilege level 15
password...
opening of session
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
!
!
end

lockout on the router (aaa new-model)

So here I am again... Need help. I can now connect to my router which is authenticated through acs distance, my problem is when I run the command 'turn off' in the privilege level, because when I try to put on the privilege mode it asked me password I try all the passwords, but I rejected so I'm locked out see attachment so that you understand what I mean... Thanks in advance

and here is my router config:

!

version 12.4

!

encryption password service

!

hostname R1

!

AAA new-model

!

!

Group AAA authentication login fCONSOLE RADIUS

the AAA authentication enable default group RADIUS

authorization AAA console

AAA authorization config-commands

Group AAA authorization exec fCONSOLE RADIUS

!

AAA - the id of the joint session

!

!

username mark password privilege 15 7 110418171C

username 050A081B29434010 password 7 anthony

!

!

!

!

!

!

interface Loopback1

IP 1.1.1.1 255.255.255.255

!

interface FastEthernet0/0

IP 192.168.5.1 255.255.255.248

automatic duplex

automatic speed

!

interface FastEthernet0/1

IP 10.10.10.1 255.255.255.252

automatic duplex

automatic speed

!

Router eigrp 100

1.1.1.1 to network 0.0.0.0

Network 10.10.10.0 0.0.0.3

network 192.168.5.0 0.0.0.7

No Auto-resume

!

radius of the source interface FastEthernet0/1 IP

!

!

RADIUS-server host 172.16.178.3 auth-port 1645 acct-port 1646 borders 7 0519570C285F4D06

!

control plan

!

!

Line con 0

exec-timeout 0 0

authority fCONSOLE exec

Synchronous recording

fCONSOLE authentication login

line to 0

line vty 0 4

transport telnet entry

Oh... Great to hear that your problem resolved... Google is always of God the father!

By

Knockaert

AAA new-model

How this command works "activate the aaa group by default RADIUS authentication? I served my Radius Cisco Secure ACS 4.2 server but I can not connect... Y does it have someone here can give me a understanding on this command? Need this for my CCNA security exam... Help, please...

Additional information:

IETF Radius attributes: NAS calls

Here is my config on R1:

!

!

version 12.4

horodateurs service debug datetime msec

Log service timestamps datetime msec

encryption password service

!

hostname R1

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$e.TZ$EXkOaZ0rkd/GBGLA/8GrD/

!

AAA new-model

!

!

the AAA authentication enable default group RADIUS

!

!

AAA - the id of the joint session

!

!

resources policy

!

memory iomem size 5

IP cef

!

!

!

!

no ip domain search

IP domain name aida.com

property intellectual ssh version 2

!

!

username mark password privilege 15 7 110418171C

username 050A081B29434010 password 7 anthony

!

interface Loopback1

IP 1.1.1.1 255.255.255.255

!

interface FastEthernet0/0

IP 192.168.5.1 255.255.255.248

automatic duplex

automatic speed

!

interface FastEthernet0/1

IP 10.10.10.1 255.255.255.252

automatic duplex

automatic speed

!

Router eigrp 100

1.1.1.1 to network 0.0.0.0

Network 10.10.10.0 0.0.0.3

network 192.168.5.0 0.0.0.7

No Auto-resume

!

!

!

no ip address of the http server

no ip http secure server

!

!

RADIUS-server host 172.16.178.3 auth-port 1645 acct-port 1646 borders 7 xxxxxxxxxxxxxxxxxxxxxxxxxxx

!

!

!

control plan

!

!

Line con 0

exec-timeout 0 0

Synchronous recording

line to 0

line vty 0 4

local connection

entry ssh transport

!

!

end

Hi Bro

The command 'aaa activate by default group radius authentication' means your enable password, you want the router to make reference to the ACS server and obtain the credentials.

Another example, the command 'aaa radius of group by default authentication enable enable' means your enable password, you want the router to make reference to the ACS server and obtain the credentials. In case your ACS is down, you want the router to see the local enable password and get the credentials.

I saw what you are trying to achieve and you can do this on the SHELF as well, but I personally prefer GANYMEDE + where possible.

!

AAA new-model

!

AAA authentication login default local radius group

AAA authentication enable default group enable RADIUS

AAA authorization exec default local

!

RADIUS-server host 10.0.0.100 auth-port 1645 acct-port 1646 cisco123 keys

Note: $enab15$, this is because you do not have configured aaa authorization orders. You can add a fictitious user name $enab15$ in your ACS or you could paste the following commands below into your router.

username admin privilege 15 password 0 cisco123

operator privilege 7 password cisco123 0 username

P/S: Please rate this comment, if you find this feedback useful :-)

AAA authentication as user name failed

I recently tried to install an ios CiscoWLC 4402 7.0.235.0 with RADIUS on Win Serv 2008r2, I implemented my type of wpa2-ent aes, Microsoft PEAP encryption security and exported a certificate from my CA server and installed on my client machine.

I don't know what I'm missing, let me know what information should still help you. I have attached a few screenshots.

0	My Jul 22 10:25:58 2013	Does not include client: MACAddress:8 c: 70:5 has: d2:f6:f8 Base Radio MAC: 00:1e:79:d6:25:e0 Slot: 0 username: unknown Ip address: reason: 802.1 x authentication has failed 3 times. Used: 4
1	My Jul 22 10:25:58 2013	Authentication failure AAA for UserName:host/106LPT073.itserve.com the user Type: USER WLAN
2	My Jul 22 10:25:54 2013	Authentication failure AAA for UserName:host/106LPT073.itserve.com the user Type: USER WLAN
3	My Jul 22 10:25:49 2013	Authentication failure AAA for UserName:host/106LPT073.itserve.com the user Type: USER WLAN

The issue seems to be with certificate server-side. Based on your first post, I realize you are using a third-party certificate. Is it possible that we will issue a new certificate and try again. Or please, export the certificate and attach it in your next reply.

Conditions of certificates for PEAP and EAP

http://TechNet.Microsoft.com/en-us/library/a1ac8d7e-3479-46B4-932b-ab43362e021b

By default, these logs are located in the %windir%\System32\Logfiles

http://TechNet.Microsoft.com/en-us/library/dd197464%28V=WS.10%29.aspx

~ BR
Jatin kone

* Does the rate of useful messages *.

No encrypted local password in config?

I hope this is the right section to ask this question, I'll put up a new router 2811 (move from a 2611). We have local usernames on 2611 of authentication ssh connections and PPTP sessions. Associated with user names passwords are encrypted when viewing with a sh run or in a configuration copied to tftp, but on the new the psswds router. view as plain text. Is - because I have not yet put aaa in place as it is on the old router? is there a better way to do it on the new router (do not authenticate locally, to a second box)?

Hello

Tell him,

encryption password service

in Terminal Server configuration.

This should encrypt the password of the account, so that his is not visible.

Kind regards

Prem

AAA server group does not work

All,

I have an aaa server group set up on my router to use for Wells, AAA, but it doesn't work that way, but when I simply specify a server and not the list of group everything works. Any ideas why this is. I'm going to pos the config.

*****************************************************

version 12.2

horodateurs service debug datetime localtime

Log service timestamps datetime localtime

encryption password service

!

host BUSINESS name

!

AAA new-model

AAA server Ganymede group + TACSLOG

Server 192.x.x.x

Server 192.x.x.x

!

Group AAA authentication login default local TACSLOG

default AAA authorization exec TACSLOG local group

AAA exec by default start-stop accounting TACSLOG group

AAA commands 5 default start-stop accounting TACSLOG group

AAA commands 15 arrhythmic default accounting TACSLOG group

activate the password xxx

!

username password xxx xxx

username privilege 15 xxx

username xxx autocommand menu ADMIN1

IP subnet zero

!

!

IP - SBA.GOV domain name

!

!

call the rsvp-sync

!

!

!

!

!

!

!

!

interface FastEthernet0/0

IP address 255.255.255.0 192.x.x.x

automatic duplex

automatic speed

!

interface Serial0/0

no ip address

Shutdown

!

IP classless

no ip address of the http server

!

!

ADMIN1 menu prompt ^ CSELECT YEAR OPTION PUNK ^ C

ADMIN1 1 SHO IP INTERFACE BRIEF text menu

by menu ADMIN1 1 SHOW IP INTERFACE BRIEF command

menu text ADMIN1 2 SHOW the INTERFACE FA0/0

order by menu ADMIN1 2 SHO INT FA0/0

menu text ADMIN1 3 SHOW RUN the INTERFACE FA0/0

order by menu ADMIN1 3 SHOW RUN INT FA0/0

menu ADMIN1 text 4 see THE ARP

4 ARP see by ADMIN1 menu command

ADMIN1 5 OUTPUT text menu

order by ADMIN1 5 LOGOUT menu

!

Dial-peer cor custom

!

!

!

!

privilege exec level 5 show ip interface brief

privilege exec level 5 show interface fa0/0

privilege exec level 5 show show passage interface fa0/0

show privileges exec level 5 show arp

!

Line con 0

line to 0

line vty 0 4

password xxx

!

end

When you define an AAA server group, you associate an IP address from the server on behalf of the group. You must always define the AAA server separately where you also set up the key that is used. In your case, you must add to your configuration:

RADIUS-server host 192.x.x.x Council key

RADIUS-server host 192.x.x.x Council key

HTH

Steve

AAA w/RSA: "any type of permission...". »

I've set up a router and a switch to AAA using a server RADIUS of RSA. Both are RSA 'Agent hosts' with identical configurations. Router (2621XM/EntServ Version 12.4 (18)) and switch (3560-24PS/IPBase - 12.2 (25) SEB2) have identical configs AAA, and RADIUS/RSA is very well regarding the access code will be accepted. But the switch won't let me:

**********************

User name:

Password:

PASSWORD accepted

% Failed authorization.

**************************

When I do "deb radius authentication" on each, the outputs are the same until the last 2 lines. The router that works says:

000055.: Jan 16 12:22:51 CEST: RADIUS (00000005): receipt of id 1645/3

000056:. Jan 16 12:22:51 IS: RADIUS/DECODE: fragments of response Message, 19, total 19 bytes

But the switch says:

000284: Jan 16 12:20:47 UTC: RADIUS: saved the authorization for user 3030220 to 3034440 data

000285: Jan 16 12:20:47 UTC: RADIUS: no type of permission for the user.

The only other difference I can think of is that I use ssh for router and switch telent (IPBase apparently no habla "crypto", I could use another IOS I think.)

Any clue? TIA

Paul

If I were you, I would like to 'disable' permission

on the catalyst 3560. I n an identical

Setup like yours on mine Catalyst 2960 and it

works very well. See below:

[[email protected] / * / root] # telnet 192.168.0.5

192.168.0.5 by train...

Connected to 192.168.0.5 (192.168.0.5).

[Escape character is ' ^]'.

C

*****************

User access audit

Username: test4

Password:

Enter your new PIN, containing 4-8 digit.

or

to cancel the procedure of the new PIN:

Please re - enter new PIN code:

Wait for the code on your card to change, and then sign in with the new PIN code

Enter the PASSWORD:

C2960 #sh worm

Cisco IOS software, software C2960 (C2960-LANBASEK9-M), Version 12.2 (25) SEE4, RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2007 by Cisco Systems, Inc.

Updated Tuesday 16 July 07 02:53 by myl

Image text-base: 0 x 00003000, database: 0x00CC0000

ROM: Bootstrap program is C2960 boot loader

BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) 12.2 (25r) the SEE1, release SOFTWARE (fc1)

C2960 uptime is 2 weeks, 6 days, 14 hours, 10 minutes

System to regain the power ROM

System restarted at 23:20:30 GMT Wednesday, December 26, 2007

System image file is "flash: c2960-lanbasek9 - mz.122 - 25.SEE4.bin".

This product contains cryptographic features and is under the United States

States and local laws governing the import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third party approval to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. laws and local countries. By using this product you

agree to comply with the regulations and laws in force. If you are unable

to satisfy the United States and local laws, return the product.

A summary of U.S. laws governing Cisco cryptographic products to:

http://www.Cisco.com/WWL/export/crypto/tool/stqrg.html

If you need assistance please contact us by mail at

[email protected] / * /.

processor of WS-C2960G-24TC-L (PowerPC405) Cisco (revision B0) with 61440K / 4088K bytes of memory.

Card processor ID FOC1036X0F1

Last reset of tension

2 virtual Ethernet interfaces

24 gigabit Ethernet interfaces

Password recovery mechanism is activated.

64K bytes of memory simulated by flash not volatile configuration.

Basic Ethernet MAC address: 00:19:55:1 B: D6:00

Number of the motherboard: 73-10015-05

Power supply part number: 341-0098-02

Motherboard serial number: FOC10352NF2

Power supply serial number: AZS103402ZF

Revision number of the model: B0

Motherboard revision number: B0

Model number: WS-C2960G-24TC-L

System serial number: FOC1036X0F1

Top Assembly part number: 800-26673-02

Top of page revision number of the Assembly: C0

Version ID: V02

CLEI Code number: COM3G00BRA

Revision number of hardware consulting: 0x01

SW Version SW Image model switch ports

------ ----- ----- ---------- ----------

* 1 WS-C2960G-24TC-L 12.2 24 (25) SEE4 C2960-LANBASEK9-M

Configuration register is 0xF

C2960 #sh run | AAA Inc.

AAA new-model

AAA RADIUS local group authentication connection test

AAA authentication login test1 group Ganymede + local

AAA authentication login notac local

Group AAA dot1x default authentication RADIUS

AAA - the id of the joint session

C2960 #.

CCIE Security

AAA Ganymede + with backup local auth

Hello

I try to get my switches/routers/etc to aaa allows you to restrict access to the configuration of the devices on my network. I have the aaa authentication to GBA v3.3 now, but for some reason any my local user no longer works. I would like to have the possibility of a connection to access local, just in case my ACS becomes unavailable.

My config on a 2950 is...

version 12.1

Service nagle

no service button

tcp KeepAlive-component snap-in service

a tcp-KeepAlive-quick service

horodateurs service debug uptime

Log service timestamps uptime

encryption password service

!

AAA new-model

connection authentication AAA SMOC-access group Ganymede + local select none

AAA authorization exec SMOC-access group Ganymede + local

AAA SMOC-access authorization network group Ganymede + local

AAA accounting exec SMOC-access arrhythmic group Ganymede +.

AAA accounting network SMOC-access group arrhythmic Ganymede +.

Select the secret xxx

activate the password xxx

!

username admin privilege 15 secret xxx

RADIUS-server host 172.20.2.25 key xxx

RADIUS-server key xxx

radius-server administration

line vty 0 4

exec-timeout 15 0

password xxx

exec SMOC-access permission

exec accounting SMOC-access

Synchronous recording

SMOC-access connection authentication

length 48

line vty 5 15

password xxx

!

The only time wherever the local user will work is when your RADIUS server is not available. You can test by putting in the wrong key of Ganymede and establishing a new seeiosn. Be sure to keep the original session open just in case :-)

HTH and rate please.

How to set up a connection to local access, but with the MD5 encrypted password

Hello

I can set up an unencrypted password, but how do you create an encrypted?

Thank you
Jeff

Hi Jeff,

Use "secret" instead of "password". By example, instead of using something like 'example password Cisco username', use 'secret example Cisco username. In this way, your secret is hashed with MD5.

You can also consider using an external AAA server for authentication.

NPS Windows Help for authentication of aaa for Cisco router - is it safe?

I am very confused about how all this works and was hoping someone could help me.

I followed a bunch of tutorials online for authentication RADIUS of installation on a Cisco router and he did to a NPS Windows Server. Now I can ssh into the router my AD account.

Now that I got it to work, I go to the settings to make sure everything is secure.

On my router, the config is pretty simple:

aaa new-modelaaa group server radius WINDOWS_NPSserver-private 123.123.123.123 auth-port 1812 acct-port 1813 key mykeyaaa authentication login default local group WINDOWS_NPS

ip domain-name MyDomcrypto key generate rsa

(under vty and console)# login authentication default

On the NPS Windows:

I created a new RADIUS client for the router.
Created a secret shared and specified Cisco as the name of the seller.
Created a new strategy of network with my desired conditions.
And now the frame of the configuration of the network policy that worries me:



So initially I thought my AD credentials were being sent over the wire in plain text, but I did a capture and saw this:

capture.jpg


How is my password being encrypted and how strong is the encryption?

Another thing is how can I configure aaa authentication with mschapv2? The documentation I saw for mschapv2 uses the "ppp authentication ms-chap-v2" command, but I'm not using ppp I'm using aaa with a radius server.

Hello

RADIUS encrypts the password, but sends the username in clear. GANYMEDE encrypts the user name and password.

You can find the encryption used by RADIUS in the RFC scheme:

https://Tools.ietf.org/html/rfc2865#page-27

MS-Chap-V2 is used for the authentication of users such as the remote access and vpn, not management switch

Thank you

John

No aaa new-model in the config

Hi all.

First Cisco router and first post so please be gentle.

I did a search on it and I get the same as in the post that see the deliverance

Router (config) aaa new-model #no

IOS 12.4 (24)

I erased the router and when I got it.

I had configuration, a little as I wanted as a reference point.

I saved.

I then started to work on the wireless part of the walk through is because:

Router (config) #aaa new-model

Router (config) #.

So, I went back and tried to erase this line in the config file.

Yes, I did:

Router (config) aaa new-model #no

Router (config) #exit

router #wr

See the router # running

I continue to see the no aaa new-model line in the config.

So I erased the whole thing to help:

router #write clear

and

router #reload

said no to save and then default to the last question.

All recharged and it seemed to be back as before, but then exits show run this OK not how long I erase and reload:

Router > en
Router #show run
Building configuration...

Current configuration: 1331 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
router host name
!
boot-start-marker
boot-end-marker
!
forest-meter operation of syslog messages
!
No aaa new-model
!
!
dot11 syslog
IP source-route
!
!
!
!
IP cef
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
!
!
Archives
The config log
hidekeys
!
!
!
!
!
interface Dot11Radio0
no ip address
Shutdown
base speed - 1.0 2.0 basic basic-5, 5 6.0 9.0 basic-11, 0 12.0 18.0 24.0 36.0 48.0 54.0
root of station-role
!
interface Dot11Radio1
no ip address
Shutdown
Speed - Basic6.0 9.0 basic - 12.0 18.0 basic-24, 0-36.0 48.0 54.0
-More-
* 23:40:09.207 Jan 16: % LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, modified root of station-s role
!
interface FastEthernet0
no ip address
Shutdown
automatic duplex
automatic speed
!
interface FastEthernet1
no ip address
Shutdown
automatic duplex
automatic speed
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
FastEthernet6 interface
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
no ip address
!
interface Async1
no ip address
encapsulation sheet
!
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
!
!
!
!
!
!
!
control plan
!
!
Line con 0
line 1
Modem InOut
StopBits 1
Speed 115200
FlowControl hardware
line to 0
line vty 0 4
opening of session
!
end

Is there a way to remove that line from the config, or it is stuck and if stuck is there any effect of him?

Thank you very much

Maurice

Hello Maurice.

Just to confirm: you want the 'no aaa new-model' command to be removed from your config? If so, this is the default when AAA is disabled on the device. If you want to enable AAA, then just run the same command without the 'no '.
```
 aaa new-model
```
Then save your config:
```
 write mem
```
For more information about this and other controls, you can reference 'Command search tool' Cisco

https://Tools.Cisco.com/support/CLILookup/cltSearchAction.do

I hope this helps!

Thank you for evaluating useful messages!

Problem with MS IAS and AAA

I am AAA configuration. I'm setting up a router so that when users access using the vty line, they must be authenticated by Active Directory. I configured AAA on the router and on Microsoft Windows Server 2003 IAS. But when I type 'test group aaa AUTH administrator legacy xxxxxxx' it gives the following error

Test of authentication attempting AUTH server group using RADIUS

* 01:01:04.991 Mar 1: AAA: analyze IDB name = type =-1 ATS = - 1

* 01:01:04.991 Mar 1: AAA/MEMORY: create_user (0x6417FF80) = user tweak "Administrator" = "NULL" ds0 = 0 port = "rem_addr = 'NULL' = ASCII service CONNECTION priv = authen_type = 1 initial_task_id = '0', vrf = (id = 0) no answer authoritative of any server.

RTR #.

* 01:01:23.647 Mar 1: RADIUS-4-RADIUS_DEAD %: 172.16.1.243:1812, 1813 RADIUS server does not respond.

* 01:01:23.655 Mar 1: AAA/MEMORY: free_user (0x6417FF80) = user tweak "Administrator" = "NULL" port = "rem_addr = 'NULL' = ASCII service CONNECTION priv = authen_type = 1 vrf = (id = 0)

* 01:01:23.655 Mar 1: RADIUS-4-RADIUS_ALIVE %: 172.16.1.243:1812, 1813 RADIUS server is marked in life.

I also used the default ports for authentication, but still no use. I am able to ping router radius server and can ping router of the radius server.

The Radius in VMWARE Server installed on and the router is emulated in Dynampis.

Here is the configuration of the router

RTR #sh run

Building configuration...

Current configuration: 863 bytes

!

version 12.4

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

hostname RTR

!

boot-start-marker

boot-end-marker

!

!

AAA new-model

!

!

RADIUS AAA server AUTH group

ACCT-port of the server 172.16.1.243 auth-port 1812 1813

!

RADIUS authentication AUTH of AAA connection group.

!

AAA - the id of the joint session

memory iomem size 5

!

!

IP cef

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

interface Loopback1

no ip address

!

interface FastEthernet0/0

IP 172.16.1.241 255.255.255.0

automatic duplex

automatic speed

!

IP http server

no ip http secure server

IP route 0.0.0.0 0.0.0.0 172.16.1.1

!

!

!

radius of the IP source interface FastEthernet0/0

!

!

RADIUS-server host 172.16.1.243 auth-port 1812 acct-port 1813 key xxxxx

!

control plan

!

!

!

!

!

!

!

!

!

!

Line con 0

line to 0

line vty 0 4

authentication of connection AUTH

!

!

end

Do you see any hits on the 2003 event logs? If no request is not the RADIUS.

Do not forget that dynampis some time shows abnormal behavior. Since you are able to ping, then connectivity seems to be just fine here.

Check the shared secret key and make sure that the radius ports are open, check to see if there is a firewall between the two.

Kind regards

~ JG

Problem of AAA in ASA

Hi all

I had configured Ganymede on ASA, but the problem is when I m try to Telnet it authenticates me with my username & password on ACS, but I can't pass the privilege level 15 such that configured on ACS. Its asking me to activate password n not taking password is the GBA. I used the authorization of Shell for privilege 15. Done on ASA configuration is:

name 172.30.xx.xx DCC-1

name 172.30.yy.yy DCC-2

Ganymede + Protocol Ganymede + AAA-server

AAA-server Ganymede + host DCC-1

Cisco key

AAA-server Ganymede + host DCC-2

Cisco key

AAA authentication telnet console Ganymede + LOCAL

AAA authentication telnet console Ganymede + Ganymede +.

the AAA authentication console ssh Ganymede + LOCAL

AAA authentication enable console LOCAL + Ganymede

activate the encrypted password of V3VzjwYzTRfTLwOb

activate the encrypted password of V3VzjwYzTRfTLwOb

piyush vkCzRtKCaNG.HI6s encrypted privilege 15 password username

ideanoc encrypted S0qrUlXOHFcX7LCw privilege 15 password username

Even added my user name & password in the local data base on ASA as on ACS. Still no progress...

Can all give his suggestion on the same.

Kind regards

Piyush

I ask not for the level of private shell 15 but enable privileges. Which must be set to 15 GBA---> user configured---> options enable---> Max privilege for any customer AAA--> 15

PIX 501 & VPN Client unable to ping or encrypt traffic?

I'm new and I work on my CCNA. I have a Setup pix behind a dsl with NAT router that I can not turn off. I create a pin hole for IPSec traffic to port 500 to my pix off if. I can connect correctly the Client VPN software. I think I establish an IKE and IPSec tunnel very well. I used the wizard to configure the VPN. I have a pool dhcp which issues an IP address correctly, and user group with set password. There is no site-to-site VPN, the network is a network of peers without any DNS or WINS server on the local network. I'm lost, frustrated and tired of 45 minutes of driving on this site whenever I want to try to set up a new configuration. It is essentially a off the pix of the box. There not here all configurations at all really. Here is my config.

6.3 (1) version PIX

interface ethernet0 car

interface ethernet1 100full

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

activate the password * encrypted

passwd * encrypted

hostname pix

domain ciscopix.com

clock timezone CST - 6

clock to summer time recurring CDT

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol they 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

fixup protocol smtp 25

fixup protocol sqlnet 1521

names of

inside_outbound_nat0_acl ip access list allow any 10.10.10.0 255.255.255.240

outside_cryptomap_dyn_20 ip access list allow any 10.10.10.0 255.255.255.240

pager lines 24

Outside 1500 MTU

Within 1500 MTU

IP address outside dhcp setroute

IP address inside 192.168.1.1 255.255.255.0

alarm action IP verification of information

reset the IP audit attack alarm drop action

IP local pool pool1 10.10.10.1 - 10.10.10.10

location of PDM 192.168.12.0 255.255.255.240 outside

PDM logging 100 information

history of PDM activate

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_outbound_nat0_acl

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

Timeout xlate 0:05:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

AAA-server local LOCAL Protocol

Enable http server

http 192.168.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

Permitted connection ipsec sysopt

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Dynamic crypto map outside_dyn_map 20 match address outside_cryptomap_dyn_20

Crypto-map dynamic outside_dyn_map 20 the transform-set ESP-3DES-MD5 value

map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

outside_map interface card crypto outside

ISAKMP allows outside

part of pre authentication ISAKMP policy 20

ISAKMP policy 20 3des encryption

ISAKMP policy 20 md5 hash

20 2 ISAKMP policy group

ISAKMP duration strategy of life 20 86400

vpngroup address pool1 pool test

vpngroup test 1800 idle time

test vpngroup password *.

Telnet timeout 5

SSH timeout 5

Console timeout 15

VPDN allow outside

dhcpd address 192.168.1.2 - 192.168.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd outside auto_config

dhcpd allow inside

Terminal width 80

exec banner prohibited unauthorized access

connection of the banner prohibited unauthorized access

Banner motd prohibits unauthorized access

Cryptochecksum:xxx

: end

Thank you...

Hi gkotlin

mark the request as a problem solved, so that its not seen by others. The rate of the position, if deemed useful... Thank you

Encryption AAA

Similar Questions

Conditions of certificates for PEAP and EAP

capture.jpg

Maybe you are looking for