GANYMEDE + Configuration
Hello
I am trying to build a Ganymede + config on my network devices. I have an ACS do the authentication. I want to do is to have GBA authenticate my users and allow them access. However, I would like to leave a console access using both local and local user name select the password so that I have a backdoor in case of future problems. I have everything working except the ability to go to activate the console mode using the local enable password. I get an auth error, because I think that the device tries to ACS auth password enable result:
the AAA authentication enable default group Ganymede + activate
I can get around it by applying a level 15 privlive to next line directly in the activation of the mode, but it seems less sure.
Any ideas?
Here's my config relevent bits (and I don't have a local user name and enable defined)
AAA new-model
AAA authentication login default group Ganymede + local
AAA authentication local console connection
the AAA authentication enable default group Ganymede + activate
default AAA authorization exec group Ganymede + local no
Console exec AAA local authorization
0 default AAA authorization commands group Ganymede + local no
default 1 AAA authorization commands group Ganymede + local no
default 15 AAA authorization commands group Ganymede + local no
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 0 arrhythmic default group Ganymede +.
orders accounting AAA 1 by default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
AAA - the id of the joint session
Line con 0
Thanks in advance Hi Rose, Named method list for enable authentication is not supported. Regards, Do rate helpful posts Tags: Cisco Security GANYMEDE configuration on a 1900 Forgive me if this question belongs on the Forum of General safety I read the Document ID:9906 configuration GANYMEDE + on the catalyst 1900. I have a 1924 configuration that has GANYMEDE on it. The switch is not on my network yet... I use a cable from the console to configure. I tftp config running on in NVRAM. Some how in the process, I have a level 15 password enable xxxxx left in the config. When I log in the sw and go into enable mode... Ganymede should expire several times until I can get in. My question has to do with enable secret password vs have enable password level 15 Right now I have both... To make my configurations correspond to what is in the rest of my network that is online, I need to remove the level 15 of the enable password xxxx (xxxx pretending is the pw) command because its pw is not encrypted. Which leaves me with the password enable secret lonely. My concern is when I take off the level of password enable 15... I am not able to get back into my switch! Enable-use-Ganymede and password server GANYMEDE last resort are both in my configuration Can I take the xxxx level 15 password enable leaving the enable secret in and not locked switch? Keep in mind that the 1924 is not on my network yet... I have to drive hundreds of miles to install it and don't want to get in trouble when I'm there with her. Thanks for your help. Hello The main difference between the enable password and the enable secret password is that the encrypted enable password uses a reversible encryption function and the password plaintext can be recovered by using the encrypted password. The secret password enable, however, uses a non-reversible encryption function. Is the only time where the enable password is used if the enable secret password is disabled (or you are using an old image that does not support the enable secret password). Therefore, it should be perfectly safe to remove the enable password. You will not get locked switch as long as you know the enable secret password. Hope that help - rate pls post if it does. Paresh Hi all I'm trying to configure the authentication of routers around 300 by Cisco GANYMEDE, AAA I installed acs4.2 on a windows Server 2003 and updated as a result of orders from AAA in the router, the RADIUS server host and the key on trialrouter AAA new-model ! ! AAA authentication login default group Ganymede + local NO_AUTHEN AAA authentication login no AAA authorization config-commands AAA authorization exec default group Ganymede + authenticated if NO_AUTHOR AAA authorization exec no AAA authorization commands 1 default group Ganymede + authenticated if AAA authorization commands 1 NO_AUTHOR no AAA authorization commands 15 default group Ganymede + authenticated if AAA authorization commands 15 NO_AUTHOR no AAA authorization network series none AAA accounting exec default start-stop Ganymede group. accounting AAA commands default 15 stop only Ganymede group. ! AAA - the id of the joint session then I created a user and mentioned a secret key on the acs server, I added this router as an AAA client, the router no longer meets the old login name and password but did not username set to GBA, where I am a mistake? Kindly help. Thank you. ANU, Are you Ganymede username-password prompt? If you get the username-password prompt and it isn't taking Ganymede credentials, could you please connect with the local user name-password and run him debugs. debugging Ganymede Debug aaa authentication term Lun After this attempt to connect again with Ganymede username-password and send me the output. Fix the failure of GBA attemopts > reports and activity. HTH The rate of useful messages- GANYMEDE for VTY & Console Hello I am creating a GANYMEDE configuration that will make sure that when you log on to the CONSOLE or VTY you get GANYMEDE challenge and if the RADIUS server is down then switch to the user/password local and local enable password. Please notify that I have followed Cisco best practices that will help many others to follow; Thank you and best regards, Cisco username secret cisco123 Enable secret cisco456 AAA authentication login network access group Ganymede + local the AAA authentication enable default group Ganymede + activate AAA authorization exec default group Ganymede + local is authenticated by any AAA authorization commands 1 default group Ganymede + if authenticated by any AAA authorization commands 15 default group Ganymede + local authenticated by if (what is the difference between this and just below command & which command to use) or default 15 AAA authorization commands group Ganymede + none AAA accounting exec default start-stop Ganymede group. orders accounting AAA 1 by default start-stop Ganymede group. orders accounting AAA 15 by default start-stop Ganymede group. line vty 0 15 connection of network access authentication 0 line console connection of network access authentication T1) your configuration should work for both types of users. Q2) authorization and accounting at all levels will increase the volume of network traffic and increase the need for storage on the server. You must decide on the basis of your organization and your needs if the additional traffic and the increased storage is justifiable. HTH Rick Hi Expert, I have two switches, the switch has problem when I run the GANYMEDE configuration. I have two servers and be able to ping the server success. I have a doubt when I read the description in the Cisco docs. Please help identify the cause. Thank you and enjoy using. switch02 #test aaa group Ganymede + btela77 Aug2011b legacy % Failed authorization. I run the show found Ganymede socket error: switcho02 #show Ganymede GANYMEDE + server: 10.52.0.158/49 Opening of socket: 4 Firm grip: 4 Write-offs of socket: 0 Socket errors: 4 Socket timeout: 0 Failed connection attempts: 0 Total packets sent: 4 Recv packets total: 4 GANYMEDE + server: 10.51.65.94/49 Opening of socket: 3 Firm grip: 3 Write-offs of socket: 0 Socket errors: 0 Socket timeout: 0 Failed connection attempts: 0 Total packets sent: 0 Recv packets total: 0 Can you try again the switch with a problem and then check on the RADIUS server and see if the server has nothing in his diary of the failed attempts in this regard? HTH Rick AAA in switches routers vs (on Cisco IOS) I have AAA with GANYMEDE + configured on a router in this way: AAA login authentication default group Ganymede + local-case allow the AAA authentication enable default group Ganymede + activate Enter the same configuration on a switch (switches in general)? What accounting? I have the same accounting configured on the router and switch? for the switch I need to allow angling of the console of accounting services? example: Line con 0 accounting of the default commands 15 accounting exec failure so, in the configured router Ihave accounting but not applied to interfaces for example) console, vty... as soon as the accounting is enabled on the router, it is automatically applied to all interfaces if I use the default method list? and is it true for switches? Hi Nathan, Whether router/Switch commands AAA for both work sense. And you have "default" reason means that it will be applied on all interfaces on routers, as well as on the switch. You do not have to specify explicitly as: Line con 0 accounting of the default commands 15 accounting exec failure There is no need, as you say once again to search the accounting list 'default', which if we have already set up will look the same. Terefore only commands that you specify is: Accouting AAA commands default 0 arrhythmic group Ganymede +. AAA accouting orders 1 by default start-stop Ganymede group. AAA accouting orders 15 by default start-stop Ganymede group. As a default we orders on three levels of privilege on IOS devices. Level of 0.1 and 15. It can be useful :) Out-of-band access (modem) to IDSM2 blade We will soon have a few strands of IDSM2 distributed geographically. My company security group does not control the Cat 650 x switch as such, and I would like to know if there is some way we could get access to consoles (modem) to the IDSM2 blade only (without getting to the switch). If this is not possible, is there a common console connection that must be shared between the infrastructure group and the security group? is it possible for us to share access modem/console as well as the separation of privileges? Your help is appreciated. Thank you The JOINT-2 itself is not a port of the console. Options to access the JOINT-2: (1) a user can access console switch and the switch CLI, the user can JOINT-2 session. This would require a physical connection to the switch via a console port (or terminal server) and passwords to access the switch and the JOINT-2. (2) a user could connect to the switch via a modem and the switch CLI user can sesion at the JOINT-2. This would imply a connection by modem to the switch and the passwords to access the switch and the JOINT-2. (3) a user could telnet or ssh to the switch and the switch CLI user can JOINT-2 session. This would require network connectivity to the ip address of the switch itself and passwords for the switch and JOINT-2. (4) a user could SSH directly to the JOINT-2 command and control the IP address. This would require network connectivity to the command and control of the IDSM2 ip address and require only passwords for JOINT-2 itself. (5) similar to the number 4 above, the user could telnet directly to the JOINT-2. (6) a user could browse the Web (HTTPS) to the JOINT-2 command and control IP address to access the IDS Device Manager. This would require network connectivity to the command and control of the IDSM2 ip address and require only passwords for JOINT-2 itself. ------------- During the initial installation of the JOINT-2, options 4,5 and 6 cannot be used. This is because the JOINT-2 comes with a standard default ip address that is not likely available. For the initial Setup, the user must session from a CLI switch. However, once that the "setup" command was run on the JOINT-2 and the configuration of the JOINT-2 switch to place in the vlan correct for the IP JOINT-2 command and control, then the JOINT-2 accessible directly on the network via options 4,5 and 6. Once the initial Setup is complete, the day-to-day management of the JOINT-2 can be made through direct network access, so there is no need to access the switch. The only time wherever the switch will have to be consulted again is to configure the sending of packets to the JOINT-2 (usually done with the initial setup and rarely changes) and reset the module or reload a new image on the module in case of major problems. (Note that the standard upgrades can be performed via direct access to the network without access to the switch). If some users choose to work in collaboration with the team of the switch during initial setup and during periods of trouble shootin. And will just use the direct access via ssh or telnet to the JOINT-2 for the activity on the day the day. Other groups have used GANYMEDE + to provide a userid on the switch to the security team. Via GANYMEDE + configuration entries, the Userid for the security team may be limited to the execution of only the commands that are required to maintain the JOINT-2. The user ID could be used to connect through the network to the switch, or connect on the console switch or a modem connected to the switch. If you fear that repeatedly when the network connectivity between your main site and the remote site is down, so have you considered adding a PC on the remote site, which would be on the same network as the command and control of JOINT-2 address? You could put a modem in the PC and then when you need to dial in the PC and the PC would be able to telnet or ssh to the IP address of the JOINT-2. Hello can someone help me find a document for ACS 5.1 appliance, integration GANYMEDE + (configuration) with my WLC. configuration of RADIUS also for clients. all configuration of wireless controller shows only acs 4.x integration. Thanks in advance Hello There is unfortunately no official configuration example for this right now. Hope this helps, Fede -- in PIX with SSH connection issues Hello I have a PIX 506 running OS 6.2 (2) which is located in a demilitarized zone known as the PIX from the outside. It's behind an another PIX506 (PIX inside). The two PIX have Ganymede + configured for authentication of the connection. Last week the outdoor PIX crushed physically and I replaced it with a spare PIX part and he completely reconfigured. Now I can't connect to this outside PIX using SSH, despite the list of access inside PIX is correct and can SSH and Ganymede +. However, I can telnet to it. I use Putty to connect and when I start the session SSH from the PIX, the login window appears and disappears immediately without having the time to do anything myself. Any help would be greatly appreciated. Thanks in advance. A.G. ################################################## Inside PIX config: access-list inside allow TCP Company-Interior-Net 255.255.255.0 host outsidepix-Interior-interface eq ssh list Company-Interior-Net 255.255.255.0 access inside permit tcp host eq telnet interface-inside-outsidepix access-list inside allow the ICMP messages to echo DMZNet 255.255.255.192 Company-Interior-Net 255.255.255.0 access-list inside allow Company-Interior-Net icmp 255.255.255.0 DMZNet 255.255.255.192 - response to echo dmzacl list of access allowed icmp echo host outsidepix-Interior-interface company-Interior-Net 255.255.255.0 dmzacl list of access allowed icmp host outsidepix-Interior-interface company-Interior-Net 255.255.255.0 - response to echo access-list permits dmzacl tcp host outsidepix-Interior-interface host Ganymede-server1 eq Ganymede access-list permits dmzacl tcp host outsidepix-Interior-interface host Ganymede-server2 eq Ganymede The outdoor PIX config: GANYMEDE + Protocol Ganymede + AAA-server AAA-server GANYMEDE + (inside) host Ganymede-server1 1234 timeout 10 AAA-server GANYMEDE + (inside) host Ganymede-server2 1234 timeout 10 RADIUS Protocol RADIUS AAA server AAA-server local LOCAL Protocol Console telnet authentication GANYMEDE AAA +. the AAA console ssh GANYMEDE authentication +. AAA authentication enable console GANYMEDE +. Telnet Company-Interior-Net 255.255.255.0 inside Telnet timeout 5 SSH-company-Interior-Net 255.255.255.0 inside SSH DMZNet 255.255.255.192 inside SSH timeout 5 did you follow the steps to configure ssh? the domain name and host name is defined on it? CA has generated you any rsa... to create the encryption keys? How the device select radius-server Hi guys,. We have the existing Ganymede configuration to form our devices and server ACS 2 did. the acs server are managed with other suppliers that the acs server is on their site. Now intended to manage the acs server. We installed a new server CSA of our location, we have thousand of the devices, if we move to the new server we just add the acs unit 2 Server? the new acs server will be are able to connect to the device? How a device chooses which acs primary or secondary server? Please notify. Old configuration AAA new-model AAA authentication login vtymethod group Ganymede + local AAA authorization config-commands AAA authorization exec default group Ganymede + local authenticated by FIS AAA authorization commands 0 default group Ganymede + local authenticated by FIS 15 AAA authorization commands default group Ganymede + local authenticated by FIS AAA accounting send stop-record an authentication failure AAA accounting exec default start-stop Ganymede group. orders accounting AAA 0 arrhythmic default group Ganymede +. orders accounting AAA 15 by default start-stop Ganymede group. Default connection accounting AAA power Ganymede group. AAA accounting system default start-stop Ganymede group. Ganymede IP source-interface Loopback0 RADIUS-server host 10.x.x.x RADIUS-server host 10.x.x.x New config AAA new-model AAA authentication login vtymethod group Ganymede + local AAA authorization config-commands AAA authorization exec default group Ganymede + local authenticated by FIS AAA authorization commands 0 default group Ganymede + local authenticated by FIS 15 AAA authorization commands default group Ganymede + local authenticated by FIS AAA accounting send stop-record an authentication failure AAA accounting exec default start-stop Ganymede group. orders accounting AAA 0 arrhythmic default group Ganymede +. orders accounting AAA 15 by default start-stop Ganymede group. Default connection accounting AAA power Ganymede group. AAA accounting system default start-stop Ganymede group. Ganymede IP source-interface Loopback0 RADIUS-server host 10.x.x.x RADIUS-server host 10.x.x.x RADIUS-server host 100.x.x.x<--> RADIUS-server host 100.x.x.x<--> Hi m.,. N ° not round robin. It checks the first IP address. It checks only the following IP address if one has failed. I hope it's clearer now Rating of useful answers is more useful to say "thank you". TAC +: TCP/IP open to 10.20.17.2/49 failed - connection has expired; remote host does not GANYMEDE + configured on the router and the router is in ACS. I can ping from the ACS, but the router cannot establish a connection to authenticate users. AAA server Ganymede group + hq_acs-1 Server 10.20.17.2 Ganymede IP source-interface GigabitEthernet0/0 ! AAA authentication login default group Ganymede + local AAA authorization config-commands AAA authorization exec default group Ganymede + local AAA authorization commands by default group Ganymede + local 10 AAA authorization commands 15 default group Ganymede + local nested AAA accounting AAA accounting newinfo periodic update 60 AAA accounting auth-proxy default start-stop Ganymede group. AAA accounting exec default start-stop Ganymede group. orders accounting AAA 15 by default start-stop Ganymede group. AAA accounting network default start-stop Ganymede group. Default connection accounting AAA power Ganymede group. AAA accounting system default start-stop Ganymede group. AAA accounting resource by default start-stop Ganymede group. BigTree_3945 #sh ip int br Interface IP-Address OK? Method State Protocol GigabitEthernet0/0 10.4.3.1 YES NVRAM low low GigabitEthernet0/1 10.12.10.26 YES NVRAM up up Serial0/2/0 unassigned YES NVRAM low low Serial0/2/0.602 10.12.15.10 YES NVRAM low low 11:08:13.673 Apr 13: MORE: Queuing AAA request authentication 79 for the treatment 11:08:13.673 Apr 13: MORE: treatment demand beginning 79 authentication id 11:08:13.675 Apr 13: MORE: authentication start package created for 79 (cisscdb) 11:08:13.675 Apr 13: MORE: using the 10.20.17.2 Server 11:08:13.675 Apr 13: HIGHER (0000004F) / 1BDD9C34/NB_WAIT/0: started 5 sec timeout 11:08:18.676 Apr 13: HIGHER (0000004F) / 0/NB_WAIT/1BDD9C34: expired 11:08:18.676 Apr 13: HIGHER (0000004F) / 1BDD9C34/NB_WAIT/0: expired, cleaning 11:08:18.676 Apr 13: HIGHER (0000004F) / 0/1BDD9C34: the package of treatment response 11:08:25.834 Apr 13: MORE: Queuing AAA request authentication 79 for the treatment 11:08:25.834 Apr 13: MORE: treatment demand beginning 79 authentication id 11:08:25.834 Apr 13: MORE: authentication start package created for 79 (cisscdb) 11:08:25.834 Apr 13: MORE: using the 10.20.17.2 Server 11:08:25.834 Apr 13: HIGHER (0000004F) / 1BDD9C34/NB_WAIT/0: started 5 sec timeout 11:08:30.836 Apr 13: HIGHER (0000004F) / 0/NB_WAIT/1BDD9C34: expired 11:08:30.836 Apr 13: HIGHER (0000004F) / 1BDD9C34/NB_WAIT/0: expired, cleaning 11:08:30.836 Apr 13: HIGHER (0000004F) / 0/1BDD9C34: the package of treatment response 11:08:43.689 Apr 13: TAC: using default Ganymede groups ' Ganymede"list." 11:08:43.689 Apr 13: TAC +: opening TCP/IP 10.20.17.2/49 Timeout = 5 11:08:51.057 Apr 13: MORE: Queuing AAA request authentication 79 for the treatment 11:08:51.057 Apr 13: MORE: treatment demand beginning 79 authentication id 11:08:51.057 Apr 13: MORE: authentication start package created for 79 (cisscdb) 11:08:51.057 Apr 13: MORE: using the 10.20.17.2 Server 11:08:51.057 Apr 13: HIGHER (0000004F) / 1BDD9C34/NB_WAIT/0: started 5 sec timeout 11:08:54.692 Apr 13: TAC +: TCP/IP open to 10.20.17.2/49 failed - connection has expired; remote host does not 11:08:54.692 Apr 13: MORE: Queuing AAA accounting request treatment 76 11:08:54.692 Apr 13: MORE: treatment of the accounting application id 76 11:08:54.692 Apr 13: MORE: sending AV task_id = 332 11:08:54.692 Apr 13: MORE: sending AV timezone = EDT 11:08:54.692 Apr 13: MORE: AV = shell shipping service 11:08:54.692 Apr 13: MORE: sending AV start_time = 1334329734 11:08:54.692 Apr 13: MORE: sending AV priv-lvl = 15 11:08:54.692 Apr 13: MORE: sending AV cmd = show logging
11:08:54.692 Apr 13: MORE: request for accounts created for 76 (n20j03t) 11:08:54.692 Apr 13: MORE: using the 10.20.17.2 Server 11:08:54.692 Apr 13: HIGHER (0000004C) / NB_WAIT/1/20FD90EC: started 5 sec timeout 11:08:56.058 Apr 13: HIGHER (0000004F) / 0/NB_WAIT/1BDD9C34: expired 11:08:56.058 Apr 13: HIGHER (0000004F) / 1BDD9C34/NB_WAIT/0: expired, cleaning
11:08:56.058 Apr 13: HIGHER (0000004F) / 0/1BDD9C34: the package of treatment response 11:08:59.693 Apr 13: HIGHER (0000004C) / NB_WAIT/1/20FD90EC: expired 11:08:59.693 Apr 13: HIGHER (0000004C) / NB_WAIT/1/20FD90EC: expired, cleaning
11:08:59.693 Apr 13: 1/HIGHER (0000004C) / 20FD90EC: the package of treatment response BigTree_3945 #. The AAA Client IP address 10.4.3. * 10.12.15.10 Key Group of network devices Test NJT AccessLink (Not assigned) Authenticate using GANYMEDE + (Cisco IOS) RADIUS (Cisco Aironet) RADIUS (Cisco BBSM) RADIUS (Cisco IOS/PIX) RADIUS (Cisco VPN 3000) RADIUS (Cisco VPN 5000) RADIUS (IETF) RADIUS (Mount) RADIUS (Juniper) RADIUS (Nortel) RADIUS (Sepi) Connect GANYMEDE + single AAA Client (stop recording in accounting in case of failure). The 10.12.10. range * is listed under the HQ site. Your help is greatly appreciated. You said that you can ping the router ACS, have you tried the GigabitEthernet 0/0 interface packages (that is those THAT GANYMEDE + will attempt to use, given the configuration you have posted) supply? What is the network path between the router and look like ACS (IE, a firewall, NAT, etc.)? Can you connect to port 49 to the IP address of the router GBA, GigabitEthernet 0/0 of supply packages? Using VRF? Which version of IOS? GANYMEDE + with 3560 cisco switch configuration issue Hi Forum, Here's my setup GANYMEDE + on my cisco 3560 switch and my question is, how can I configure the switch, if I would not type enable after I put the user name and password? with configs below, users will need to type activate whenever they connect to the switch in order to enter the user exec mode. Please let me know if there is something missing in my configs to help me avoid typing 'enable '. Thanks in advance, MacBookAir: ~ MacBook$ ssh [email protected]/ * /. Password: Switch > en Switch #show run | include the aaa AAA new-model AAA server Ganymede group + mpcc AAA authentication login default group Ganymede + local activate the default AAA authentication no AAA authorization exec default group Ganymede + authenticated if AAA authorization commands 1 default group Ganymede + authenticated if AAA authorization commands 15 default group Ganymede + authenticated if start-stop radius group AAA accounting dot1x default AAA accounting exec default start-stop Ganymede group. orders accounting AAA 1 by default start-stop Ganymede group. orders accounting AAA 15 by default start-stop Ganymede group. AAA accounting system default start-stop Ganymede group. AAA server RADIUS Dynamics-author AAA - the id of the joint session Switch #. Hello Add the level of privilege 15 control VTY line configuration. Concerning A configuration user ACS - GANYMEDE + activate password When a user logs on for the first time that I need to go in the change and configuration of the user the GANYMEDE + activate password of "password separate use" for 'use password database external' - how can I do this by default? Once this change has been made, everything works fine but I want this piece to be automatic. Thank you very much! It is certainly a change that would be useful - which is a group of installation command option that allows global configuration of the enable command to use the same password as external DB password. Unfortunately at the moment, this option is not available. Jeff PIX configuration as a blocking device w / GANYMEDE + authentication Hello I have a PIX running version 6.3 (1). The PIX is configured to use a Server 3.1 CSACS AAA authentication and authorization more GANYMEDE +. The sensor is 2.0000 Sig46 running. Before adding AAA for the PIX, the sensor has been able to connect and set up to Shun correctly. Since the addition of the configuration of the AAA for the PIX, I was unable to get the sensor to connect to the PIX for fleeing. I created a login and password with rights admin for the IDS sensor connect to create leaks. I could authenticate and build manually fled via a Telnet and SSH connection using this connection. I tried to remove and re-add lock several times. When I configure the PIX as a blocking Telnet device, I see the State of the Net as "initializing" device when you look at the statistics of the IDM. When I configure the PIX as a SSH blocking device-, I consider the State as "inactive". Please let me know if you have any suggestions - if not I guess I will open a case with TAC. Thanks in advance for the help! Kind regards Chad Make sure the PIX is in the list of allowed hosts. From the cli, type end of config SSH - key host (ip interface pix) Check that you have associated the pix of polarity logical device. The logical device record contains the username, password password and activate. Using IDM, it is selected in a drop-down list on the page of blocking devices. How to configure ACS 5.2 to manage the Junos 10.4R6.5 fwl via GANYMEDE. Hi all I have a camera ACS 5.2 newly installed, integrated with our announcement and his work with cisco product, routers switches and etc. Now I would like to include Juniper firewalls so to be authenticated via ACS 5.2 either via ssh and web access. Can someone share me how to initiate this, creating policies. FYI: I have 14:00 groups regionaladm and regionalops, read/write and read-access, respectively. Kind regards Marlon Marlon, I stuck in a config below file I made for our ScreenOS Firewall work with Cisco ACS v5.2. This configuration may not work because yours is Junos, but it could bring closer you reach to understand. Also, if you have not been on the Juniper J-Net ask autour, give it a shot. (forums.juniper.net) Good luck! -Chris Title: Example configuration - GSU of Juniper and Cisco ACS v5.x Product: SSG320M juniper (Cisco ACS v5.x) Version: 6.3.0r10.0 ScreenOS (Cisco ACS v5.2.0.26.8) Network topology: [Juniper SSG320M]-[Cisco 3560 Switch]-[Cisco ACS VM] Description: Goal - authenticate GSU administrators using GANYMEDE + instead of local connections Description - This configuration for Cisco ACS v5.x, JTACS had only configuration v3.3. ACS v5.x is a VM based on Linux with a completely new user interface and structure. Configuration: Configure the Juniper (CLI) 1. Add configuration Cisco ACS and GANYMEDE +. Set id CiscoACSv5 of auth-server 1 Configure the Cisco ACS (GUI) v5.x Add the vsys attribute: Add the attribute of privilege : Attribute: privilege Note : you can also use "read-write", but then the local admin does not work correctly 2. navigate to access policies > Access Services > default device Admin > authorization Click the button [create] at the bottom of the page to create a new rule
Audit: Connect to the CLI of Juniper and GUI using an ACS internal user account and try to change something to check the level of privilege. How to create graphic tabs in front of Panel? How to create graphic tabs in front of Panel? How can I use tabbed indicators in the front panel? What is the capacity of minimum disk for windows7 32 bit Heyo everyone,. I am eager to confirm before connecting my new card, including the cable from the PSU to use. I have an Alienware Aurora R4 with a 850w PSU. There P14, P15, P16 and P17 six connectors for pins, with a connector 2 pin cable connector Frequent BSOD and PC freezes - Windows 7 I have been faced with frequent BSOF and freezes for a few years now. I reinstalled Windows 7 a couple of times. passed the ID of event several times. update BIOS and drivers hardware and program; and ran many tests, including hardware. Windows an My lesson has three parts. I use the page controls so that the user spends a lesson both page. At the end of each section, there is a form labeled 'back' which has properties of 'serve the key' action and success: jump to slide, slide 4.Slide 4 is a
password 7
console login authenticationUnfortunately, there is no way to apply a specific method list for the enable authentication to apply to the console.
~JGSimilar Questions
JK
Haowever, you can view these screenshots I took an example of laboratory, to set up the profile of shell and pass it back due to the authorization rule.
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
line vty 0 4 [..] privilege level 15 !
set the auth-CiscoACSv5 server ServerName 192.168.1.100
set server CiscoACSv5-type of admin account
set the server CiscoACSv5 auth type Ganymede
Define auth-server CiscoACSv5 Ganymede secret CiscoACSv5
define CiscoACSv5 Ganymede 49 auth-server port
Set the server auth admin CiscoACSv5
Set admin auth distance primary
Remote admin auth root set
define outer-get administrator privileges
1. navigate to elements of strategy > authorization and permissions > peripheral Administration > Shell profiles
Create the profile of Shell of Juniper.
Click the button [create] at the bottom of the page
Select the general tab
Name: Juniper
Description: Custom for Juniper SSG320M attributes
Select the custom attributes
Attribute: vsys
Requirement: required
Value: root
Click on the [Add ^] button above the field for the attribute
Requirement: required
Value: root
Click on the [Add ^] button above the field for the attribute
Click the button [send] at the bottom of the page
Create the authorization policy of Juniper and filter by IP address.
Click [customize] at the bottom right of the page
In terms of customize, select IP address in the left window
Click the [>] button to add
Click the [OK] button to close the window
In general, the name of the new rule Juniper and make sure that this option is enabled
In Conditions, check the box next to IP address
Enter the ip address of the Juniper (192.168.1.100)
Under results, click the [Select] button next to the Shell profile field
Select "Juniper" and click the [OK] button
Under results, click the [Select] button under the command field sets (if used)
Select "allow all the" and make sure all other boxes are not CHECKED
Click the [OK] button to close the window
Click the [OK] button at the bottom of the page to close the window
Check the box next to the policy of Juniper , and then move the policy to the top of the list
Click on the [Save] button at the bottom of the pageMaybe you are looking for