GANYMEDE + authentication on Juniper screen OS using ACS 5.3
GANYMEDE authentication and authorization passed on ACS5.3, but enter username and password security (Juniper SSG5) gives access denied, joined Ganymede cfg.
the value id GANYMEDE + auth-server 1
Set-server GANYMEDE + 10.10.xx.yy server name
put server GANYMEDE +-type of admin account
Set-server GANYMEDE + type Ganymede
Set-server GANYMEDE + secret Ganymede xxxx
the value auth-server GANYMEDE + Ganymede port 49
the admin server GANYMEDE value +.
Set admin auth distance primary
Remote admin auth root set
Set admin privilege get set external auth-server GANYMEDE + id 1
Set-server GANYMEDE + 10.10.xx.yy server name
put server GANYMEDE +-type of admin account
Set-server GANYMEDE + type Ganymede
Set-server GANYMEDE + secret Ganymede xxxx
the value auth-server GANYMEDE + Ganymede port 49
the admin server GANYMEDE value +.
Set admin auth distance primary
Remote admin auth root set
define outer-get administrator privileges
Please advice
I guess you posted a screenshot. I'm looking forward to having the file can be downloaded for analysis.
~ BR
Jatin kone
* Does the rate of useful messages *.
Tags: Cisco Security
Similar Questions
-
Authentication VPN using ACS 5.2
I want to use ACS 5.2 to authenticate VPN users and wireless.
For VPN users, there is an internal group in the GBA box and an Active Directory group in AD. I would like to be able to use both sources to authenticate VPN users. Some VPN users will have local accts on the GBA, others AD box. I'm having a hard time to rethink the policy. It seems that I can get to use either AD or internal users, but not both.
Creating identity store sequence and have internal user and AD in the Sequenece, refer to the attached screenshot and you can have this identity in the access policy, so both internal and external and AD store is checked
Note: please rate the answer if it was helpful
-
Unable to switch to the privilege level using password set using ACS enable
Hi all
I am not able to not be able to visit the privilege level to help enable password set using ACS 1121 (5.4.0.46).
Please find details of the ASA-
ASA5580-20
version of the software - 9.1LAB - FW / see the law # run | I have aaa
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + (inside) host 192.168.x.x
GANYMEDE + LOCAL console for AAA of http authentication
Console telnet authentication GANYMEDE + LOCAL AAA
AAA authentication enable console LOCAL + GANYMEDE
authentication AAA ssh console GANYMEDE + LOCAL
Console telnet accounting AAA GANYMEDE +.
AAA accounting console GANYMEDE + ssh
AAA accounting enable console GANYMEDE +.
No vpn-addr-assign aaaI created the Shell profile so & given privilege 15 it.please find wink 1 similarly in word doc attached
However, when I try to create the service profile I get the error message, please find snap 2 in word doc attached.
Kindly share your expertise.
Hello Dominic,.
For authorization privileges to take effect, you must add the following command to your configuration on the ASA:
AAA authorization exec-authentication server
After adding it, the ASA will take into account the level of privilege that are sent by the ACS.
Associated with the error you are getting on the graphical interface of the ACS, please make sure that you are using a browser supported for ACS 5.4 version based on the release notes:
http://www.Cisco.com/c/en/us/TD/docs/net_mgmt/cisco_secure_access_contro...
Note: Please mark it as answered as appropriate.
-
Failure of GBA 4.2 GANYMEDE + authentic. Incompatibility of keys
I have configured 10 switches(C3750-ADVIPSERVICESK9-M) of layer 2, Version 12.2 (40) SE), use GANYMEDE +. They are all using the same key and work correctly. I went to another switch 3750 located through a point-to-point circuit, software C3750 Cisco (C3750-IPBASEK9-M), Version 12.2 (35) SE5. I entered the configuration routine and then entered the key and tried to connect as a user and get authentication failed. I checked the server and see key discrepancies in the reports and activity, the attempt failed. I've removed the key, copied and pasted from Notepad, still does not work. Removed the switch in the network device group ACS and then re - he added, stuck a new key, without special characters. No go.
Here is the config.
AAA new-model
!
!
AAA of default login authentication group Ganymede + activate
local NO_AAA AAA authentication login
the AAA authentication enable default group Ganymede + activate
AAA authorization exec default group Ganymede + authenticated ifGanymede IP source interface FastEthernet0/0
GANYMEDE-server host 10.1.1.1
RADIUS-server key 0 itspassword
RADIUS-server application madeInitially, the password is encrypted, so I changed it to erase the text by typing the password without the 0 and with 0. None worked. Also removed encryption service to see if that would do anything.
I usually have SSH for router, so I changed it to accept telent. That did not work. Changed SSH, reset the rsa keys and modified so that it uses SSH2, which did not work.
Here's what I get from newspapers
August 12 at 11:43:24: TAC +: send worm package AUTHENTIC/START = 192 id = 97563278
August 12 at 11:43:24: TAC +: using Ganymede server-group "Ganymede +" list by default.
August 12 at 11:43:24: TAC +: opening TCP/IP 10.1.1.1/49 Timeout = 5
August 12 at 11:43:24: TAC +: handle opened TCP/IP 0x3663CA0 to 10.219.1.1/49 using the 10.2.2.254 source
August 12 at 11:43:24: TAC +: 10.1.1.1 (97563278) AUTHENTIC/START/CONNECTION/ASCII queued
August 12 at 11:43:25: TAC +: (97563278) AUTHENTIC/START/CONNECTION/ASCII processed
August 12 at 11:43:25: TAC +: received bad AUTHENTIC package: length = 6, should 80467
August 12 at 11:43:25: TAC +: invalid package AUTHENTIC/START/CONNECTION/ASCII (control keys).
August 12 at 11:43:25: TAC +: connection TCP/IP closing 0x3663CA0 to 10.1.1.1/49
August 12 at 11:43:25: TAC +: using Ganymede server-group "Ganymede +" list by default.
August 12 at 11:43:37: TAC +: send worm package AUTHENTIC/START = 192 id = 1015854339
August 12 at 11:43:37: TAC +: using Ganymede server-group "Ganymede +" list by default.
August 12 at 11:43:37: TAC +: opening TCP/IP 10.1.1.1/49 Timeout = 5
August 12 at 11:43:37: TAC +: handle opened TCP/IP 0x366AF24 to 10.1.1.1/49 using the 10.2.2.254 source
August 12 at 11:43:37: TAC +: 10.1.1.1 (1015854339) AUTHENTIC/START/CONNECTION/ASCII queued
August 12 at 11:43:38: TAC +: (1015854339) AUTHENTIC/START/CONNECTION/ASCII processed
August 12 at 11:43:38: TAC +: received bad AUTHENTIC package: length = 6, should 79092
August 12 at 11:43:38: TAC +: invalid package AUTHENTIC/START/CONNECTION/ASCII (control keys).
August 12 at 11:43:38: TAC +: connection TCP/IP closing 0x366AF24 to 10.1.1.1/49
August 12 at 11:43:38: TAC +: using Ganymede server-group "Ganymede +" list by default.I watched autour forum for about 4 hours, try all other options that were given to other people with a similar problem. The last key, in that I put has 123456. You can not fat finger that is. Switch journal said check the key, the firewall is configured to allow all traffic from the AAA client.
Hi green2003 mg,.
The substitution of key group (the NDG where your switch belongs to) the button. Have you checked that one?
Greetz,
Julia
-
RADIUS and GANYMEDE + authentication
We authenticate our systems through dot1x. I also need to be able to authenticate our Cisco admins using the same ACS server. I see how to configure a switch to make the two GANYMEDE + and RADIUS, but I do not see how implement GBA to allow a switch to use GANYMEDE + and RADIUS.
Can someone give me a pointer?
Thank you
You need to put in place once the authentication on the switch.
AAA authentication login default group local Ganymede
Group AAA dot1x default authentication RADIUS
AAA authorization exec default group Ganymede + authenticated if
Group AAA authorization network default RADIUS
Cisco RADIUS-server host 2.2.2.2 keys
Cisco GANYMEDE-server host 2.2.2.2 keys
The GBA, you must add the switch twice.
ACS---> network configuration---> add aaa-clinet
Host name switch1
IP: 3.3.3.3
With the help of authentic: RADIUS IETF
Add another switch
SWITCH2 host name
IP: 3.3.3.3
With the help of authentic: Ganymede +.
Kind regards
~ JG
Note the useful messages
-
ISE GANYMEDE authentication - connect before you decide if you should have access
I'm away Cisco ACS to ISE Cisco version 2.1 to control GANYMEDE of my network devices. I opened a proof with TAC but the answer, I seem to fly intuitive and hope for verification of this is now the way that Cisco or I just need to set up my policy defines differently.
For a switch using ACS for the administration, a user will be SSH to the machine and if they are not in good AD security group, the user will receive a response from denial of access
With ISE GANYMEDE to the administration, the user will be SSH to the machine and because they are a member of the AD domain they authenticate and connect the device actually get a command prompt. Now this same user if they are not in the right group of safety AD that they will not be allowed to do anything on the switch.
According to my TAC, ISE needs to identify the user, before he can decide if that user is allowed to access the device. It is not fine with me because basically, anyone in my company can now connect on these devices. Outside put ACLs on the switches that allow access only from certain computers, what are others doing to mitigate this risk?
Thank you
Hi Ken,
In the event that you have configured your ISE with a new 2.1 installation, follow these steps:To the "device Admin defined strategy", leave the part "Authentication" of a rule as it is.
In the "Authorization" section, add your security AD as conditions groups (select the box on the right under the conditions of-> create new condition-> to 'select attribute': 'AD login name'-> ExternalGroups-> 'equal'-> name of group to choose AD) and the right set of commands and the Shell profile for each security group.Now the importand part: the last rule is the default rule that will be used if the user is not a member of a security group that was the condition of an old rule.
Here, you should make sure that the profile ' refuse of all Shell "is selected, it means that if this rule should be used, the user will be blocked from access.In case you went from 2.0 to 2.1, you may be suffering from this bug here:
https://BST.cloudapps.Cisco.com/bugsearch/bug/CSCva04654/?referring_site=bugquickviewredir Then you simply do not have a profile ' refuse of all Shell "as an option.
I'm building a work around for my system:
I created a new profile of shell, which has a "disconnect" as command 0 privielege max level and auto.
I loaded this profile of shell in the default rules.
Maybe this isn't the best solution, but it does what it should do.Let me know if it worked and it please note useful responses!
Greetings,
MaxEdit: spelling mistakes
-
Doubt on the RA aaa using ACS 5.3 vpn user
Hello
I'm putting in place of the VPN on 8.4 ASA with 2 - VPNGp1 and VPNGp2. VPNGp1 groups users will access 1.2.3.0/24 and VPNGp2 users will have access to 5.6.7.0/24. User authentication will be done using RADIUS 5.3 ACS.
On ASA, I configured pools VPN groups, ACL of VPN, IP, tunnel of groups and group for each group strategies.
GBA, I created vpn-user1 and user2-vpn for each of the 2 groups.
I don't know if some configurations more must be done on ASA and AC... Do I need to add new users - vpn-user1 and user2-vpn - on ASA, under each corresponding group policy, using the command political vpn-group? Or I need to do something else on the ACS?
Finally, how can I configure authorization and accounting for VPN users? I have to do this on GBA or ASA?
Please advice.
Thank you.
Hello
Authentication using radius aims to centralize user accounts and policies so that you will not have to configure these on the SAA. You must create a group of authentication servers that points to your ACS, then you will have to refer to this group of servers to your tunnel-group for user authentication queries will be forwarded to ACS for authentication. For accounting you will create an accounting server group and also assign to your tunnel group configuration.
The GBA, you will need to create a network client that is ASA, and the shared secret will be the same. You create an element of authorization policy network who have the permission settings, or you can choose allowed access, which allows authentication succeed without any special authorization.
You can debug the sessoin using crypto vpnclient 255 debugging to view the authentication stream.
Using SSL vpn (anyconnect) for these sessions?
Thank you
Tarik Admani
-
How to use ACS 5.2 to create a static ip address user for remote access VPN
Hi all
I have the problem. Please help me.
Initially, I use ACS 4.2 to create the static ip address for VPN remote access user, it's easy, configuration simply to the user defined > address assignment IP Client > assign the static IP address, but when I use ACS 5.2 I don't ' t know how to do.
I'm trying to add the IPv4 address attribute to the user to read "how to use 5.2 ACS", it says this:
1Ajouter step to attribute a static IP address to the user attribute dictionary internal:
Step 2select System Administration > Configuration > dictionaries > identity > internal users.
Step 3click create.
Static IP attribute by step 4Ajouter.
5selectionnez users and identity of the stage stores > internal identity stores > users.
6Click step create.
Step 7Edit static IP attribute of the user.
I just did, but this isn't a job. When I use EasyVPN client to connect to ASA 5520, user could the success of authentication but will not get the static IP I set up on internal users, so the tunnel put in place failed. I'm trying to configure a pool of IP on ASA for ACS users get the IP and customer EasyVPN allows you to connect with ASA, everything is OK, the user authenticates successed.but when I kill IP pool coufigurations and use the "add a static IP address to the user 'configurations, EzVPN are omitted.
so, what should I do, if anyboby knows how to use ACS 5.2 to create a user for ip address static for remote access VPN, to say please.
Wait for you answer, no question right or not, please answer, thank you.
There are a few extra steps to ensure that the static address defined for the user is returned in the Access-Accept. See the instuctions in the two slides attached
-
This just showed on my screen while using Firefox in a small box: "Applecare would like to view your screen".
You specifically asked for their help? If this isn't the case, then dismiss the dialog box. It's probably a scam coming through your browser open.
-
I don't like political new goggle, which begins in March 2012.
I don't want to see in the middle of my search bar of glasses display only one option. How to change it to any other intelligent research, such as the top of the screen, I use BING, but it's a bit like small space to see what I typed.
TYHi larafox,
Copy this address: https://duckduckgo.com/
Open Tools (Alt + T) > general, paste the address copied in the box next to Homepage:, click on the box (above) next of when Firefox starts: replace the show my home page option, and then click OK below.
-
Can not do a screen shot using the command shift 4. Unable to capture the States. I restart the Mac.
It is to capture a piece of the element you want to screenshot, make a fire using full-screen control + 3
-
How to set a component at the bottom of the screen without using setStatus()
I created a custom horizontalFieldmanager and want to put it at the bottom of the main screen in my application. My custom horizontalFieldManager contains three fields of bitmap... help me please put it at the bottom of the screen without using the setstatus method.
OKS... If it is finally... Thanks for the help
-
How do use ACS to enycrption for his backup?
How do use ACS to enycrption for its backup system?
Bruce,
GBA backup is encrypted with 40 RC2 - RC2 40-bit encryption method. Encryption
option to encrypt more data already encrypted for transmission
between ACS and the ftp server.
Kind regards
~ JG
Note the useful messages
-
half of the screen is used by "select the file to preview.
Mr President
everytime I open a folder in windows 8 the right half of the screen is used by the line "select the file to preview. I don't know how it appeared, but can someone help me how to remove it?
Thank youWhen in the file Explorer > select "view" > R / click on "Preview pane" to delete. ".
-
If I want to make a screen shared using video and graphics, programs Adobe would achieve this?
First Pro... Ask for details at http://forums.adobe.com/community/premiere/content
Maybe you are looking for
-
Insert a memory card in Satellite L305-S5919
How can I insert a memory card into my L305-S5919? Help, please
-
Why are these windows not my data connection - I now have to connect whenever I go to the site
Why not "remember me".
-
My sound has stopped playing and I can't understand why!
I can absolutely NO sound on my PC. All connections and cables seem to be correct! Everything started at the time I had the shop, but they say they are innocent!
-
Windows Media Player-how add ripped audio files in the music folder
connection of windows media player and my music I want all the files I have on media player to be in my music. My old computer had this set up automatic when I purchaced my computer. Basiclly, I use my muic much and want all my music files there. Whe
-
HP 630 overheating, crash Windows 7 of the month last 64, low speed fan
Hello HP 630, new bios, old laptop a day! Windows 7 64 ult, drivers latest After the computer crash laptop several minutes. Several second before closing screen frozen and their speed will maximally. When the fan working speed is very slow. But when