GANYMEDE + vs RADIUS

Similar Questions

• Cisco ISE with GANYMEDE + and RADIUS both?

  Hello

  I'm wired opening of authentication on a network using Cisco ISE. I studied the conditions for this. I know that I need to enable the RADIUS on the Cisco switches on the network. The switches in the network are already programmed to GANYMEDE +. Anyone know if they can both operate on the same network at the same time?

  Bob

  I suppose that Ganymede is configured (with ACS 4.x or 5.x) for the peripheral administration via telnet/ssh, and now you need the RADIUS (radius) to authenticate 802. 1 x. Yes they can both work on the same network at the same time.

  ~ BR
  Jatin kone

  * Does the rate of useful messages *.

• Interaction of Ganymede + and radius ACS 2.6 download PIX ACLs

  We have ACS v2.6 running and control our connection to remote, routers and switches access. We are now looking to add support for a PIX firewall internal and want to use downloadable ACS ACL for the PIX. (to control outbound traffic through the PIX for authenticated users)

  We have achieved this help attributes RADIUS of Cisco IOS/PIX

  [009\001] cisco-av-pair on ACS. (and ACL restrictions of access on access to users)

  However the problem we noticed is that any user is valid in our database of CiscoSecure or SecureID can authenticate and gain access to through the firewall, even if they are not allowed to do this (and as it is by default on PIX from inside to outside is allowed unlimited full access).

  Was then imposed restrictions on network access on the CiscoSecure ACS for our PIX - to allow only access of corresponding user groups, but it did not work with RADIUS only GANYMEDE + (I guess that's because the RADIUS does not support approval).

  We must work with GANYMEDE + and the passes of the ACS to the bottom of the ACL number/ID for the PIX for users allowed.

  Question: We want to use downloadable s ACL of ACS for the PIX (for reasons of central support) is possible using GANYMEDE + and if yes how we re CiscoSecure ACS suitable for the ACL example below;

  pix_int list access permit tcp any host 10.x.x.x eq 1022

  pix_int list access permit tcp any host 10.x.x.x eq 1023

  Thank you

  Download ACL works only with the RADIUS, as described here:

  http://www.Cisco.com/warp/public/110/atp52.html#new_per_user

  You can continue to set the ACL on the PIX itself and simply pass the ACL via GANYMEDE number (as shown here: http://www.cisco.com/warp/public/110/atp52.html#access_list), but you can actually spend the entire ACL down via GANYMEDE, sorry.

• GANYMEDE + and RADIUS - don't either care hostname?

  When first experimented with GANYMEDE + I remember to change the host name on a router and have it cause problems with authentication.  Is this normal for GANYMEDE + to use a host name of devices as part of the authentication process? What is RADIUS?

  Hello

  Nope, neither for the AAA process, we use the host name of the appliance.

  Only take care of the source (source IP address) interface, the shared secret and the ports used.

  HTH,
  Tiago

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• RADIUS and GANYMEDE + authentication

  We authenticate our systems through dot1x. I also need to be able to authenticate our Cisco admins using the same ACS server. I see how to configure a switch to make the two GANYMEDE + and RADIUS, but I do not see how implement GBA to allow a switch to use GANYMEDE + and RADIUS.

  Can someone give me a pointer?

  Thank you

  You need to put in place once the authentication on the switch.

  AAA authentication login default group local Ganymede

  Group AAA dot1x default authentication RADIUS

  AAA authorization exec default group Ganymede + authenticated if

  Group AAA authorization network default RADIUS

  Cisco RADIUS-server host 2.2.2.2 keys

  Cisco GANYMEDE-server host 2.2.2.2 keys

  The GBA, you must add the switch twice.

  ACS---> network configuration---> add aaa-clinet

  Host name switch1

  IP: 3.3.3.3

  With the help of authentic: RADIUS IETF

  Add another switch

  SWITCH2 host name

  IP: 3.3.3.3

  With the help of authentic: Ganymede +.

  Kind regards

  ~ JG

  Note the useful messages

• Switches: RADIUS or GANYMEDE?

  Hello

  So far I've managed my switches with GANYMEDE +, but now I have deploy 802. 1 X, requiring RADIUS only.

  For all I know, ACS (I use 4.2) allows you to set a device using only GANYMEDE or RADIUS, but not both.

  Am not mistaken? Or there is a way to define an AAA client to communicate with the ACS even using two protocols?

  Assuming I'm right, I then considered the following options:

  -Configure all switches to use radius for any service (authentication, authorization ec etc.) this makes it easier, but I lose the GANYMEDE services + for switches. What a big loss?

  OR

  -Configure L3 switches to use a second closure, just for the RADIUS services. It would always use the GANYMEDE + but would require a new network for the service RADIUS; In addition, switches L2 does not support both IP addresses and would require anyway a migration to the RADIUS.

  A considerable administrative burden, in other words.

  I'm not ready to deploy a second RAY (ACS, Windows, whatever), right now.

  The key point is this: reading autour I see documentation Cisco recommends always using GANYMEDE + for management, but in this case is not possible. In general, whenever the unit has a role of network entry (switch or access point) RAY seems to be the Protocol of choice. Moving to the RADIUS would have some drawback or a change in the communication protocol? (I know the difference between GANYMEDE + and RADIUS: tcp, udp vs, vs whole package of only the password encryption encryption).

  Thanks anticipately

  C

  Hello Carlo,.

  You can keep using GANYMEDE + for device management and RADIUS to 802. 1 x, with no need for an additional IPN focuses on additional servers or IP on each managed device.

  4.2 ACS allows allows you to set two AAA Clients with the same IP address, one for GANYMEDE + and for RADIUS, however, the host name must be unique.

  Then, on the switch, you can define the same ACS server as a server radius and Ganymede-server host, configure the controls of "aaa" to connect to the console and pointing to the GANYMEDE server authorization + and part dot1x pointing to the RADIUS server.

  What you're looking for is feasible and it is normal to use GANYMEDE + for device management and RADIUS for 802. 1 x.

  I hope that answers your questions.

  Kind regards

  Federico

  --

  If this answers your question please mark the question as "answered" and write it down, so other users can easily find it.

• I am unable to connect with GANYMEDE + connection after the addition of aaa authorization network command

  Hello

  I test an aaa authentication switch when it does not communicate to ISE, and I found a strange behaviour. After that I added the aaa accounting and authorization authentication controls and reloaded the switch I was not able to connect to the switch with the GANYMEDE login

  The switch continued in cycles showing the banner give 3 times authentication failure message and then the cycle begins with the failed, banner and sign message

  I removed the aaa authorization network command and I reloaded the switch and I was able to connect successfully.

  could someone help me with this problem.

  Hi Nitesh-

  This command (... aaa authorization network) has nothing to do with the admin authorization on the n basis (in this case, the switch). This command applies to the network connections such as PPP, SLIP, etc.

  In addition, aaa authorization can be performed by Ray and not only GANYMEDE +. RADIUS is not too powerful and you can provide authorization command sets but you can always return roles and different levels of privilege.

  Have you tested the above configuration syntax? I did and it works as expected!

  Thank you for evaluating useful messages!

• Authentication RADIUS Cisco switch

  Hello

  I have a cisco 2960 switch and currently trying to install radius authentication. My guy from microsoft do the side server, we have the correspondence of the keys and he says there is no problem on his side, but we still Pascal operate.

  Config of switch

  AAA new-model
  AAA authentication login default local radius group

  Server RADIUS auth-port host 10.0.0.13 1812
  0 of RADIUS-server key test

  line vty 0 4
  by default the authentication of connection

  switch and the radius server are installed on the same network. I did a debug and confused on the output. Can someone point me in the right direction.

  I did a radius authentication and aaa debug debugging

  AccessSwitch #.

  RADIUS/ENCODE (00001586): orig. component type = Exec

  RADIUS: AAA Attr not supported: interface [221] 4 92269176

  RADIUS / encode (00001586): down the type of service, "radius attribute 6 sur-pour-login-auth server" is disabled

  RADIUS (00001586): Config NAS IP: 0.0.0.0

  RADIUS (00001586): Config NAS IPv6:

  RADIUS / encode (00001586): acct_session_id: 20

  RADIUS (00001586): send

  RADIUS/ENCODE: Best local IP 10.0.0.56 for Radius server - address 10.0.0.13

  RADIUS (00001586): Sending a bunch of RADIUS IPv4

  RADIUS (00001586): Send access request ID 10.0.0.13:1812 1645/18, len 77

  RADIUS: authenticator 7 c B1 A0 55 62 45 7 AF b - E2 F2 48 4 C3 F0 72 98

  RADIUS: Username [1] 15 "james.hoggard".

  RADIUS: User-Password [2] 18 *.

  RADIUS: NAS-Port [5] 6 2

  RADIUS: NAS-Port-Id [87] 6 'tty2 '.

  RADIUS: NAS-Port-Type [61] 6 virtual [5]

  RADIUS: NAS-IP-Address [4] 6 10.0.0.56

  RADIUS (00001586): Started 5 sec timeout

  RADIUS: Receipt id 1645/18 10.0.0.13:1812, Access-Reject, len 20

  RADIUS: authenticator 80 CE C9 C2 D6 30 65 A9 - 07 9th 12 4 80 A9 3 c D8

  RADIUS (00001586): Receipt of id 1645/18

  AAA/AUTHENTIC/LOGIN (00001586): choose method list "by default".

  RADIUS / encode (00001586): ask "" password: ".

  RADIUS / encode (00001586): upload the package. GET_PASSWORD

  Thank you

  James.

  Yes, PAP always use text gross, and that doesn't provide any kind of security.  However, does not support administrative session with Ray chap/mschap.we cannot configure firewall/IOS devices for the Administration as a telnet/ssh session to authenticate users on the mschapv2 authentication method.

  If you need secure communications you can implement GANYMEDE.

  GANYMEDE + and RADIUS using a shared secret key for encryption for communications between the client and the server. RADIUS encrypts the password of the user when the client makes a request to the server. This encryption prevents a person from sniffing the password of the user using a packet Analyzer. However, other information such as username and the services being performed can be analyzed. GANYMEDE + does not encrypt only the entire load at the communication, but it also encrypts the password between the client and the server. This makes it harder to decipher the information on the communication between the client and the server. GANYMEDE + uses the MD5 hash in its algorithm of encryption function and decryption.

  ~ BR
  Jatin kone

  * Does the rate of useful messages *.

• GANYMEDE + for the unified management of ASA and VPN auth

  Hello, I have ASA 5540 and 4.2 ACS (AD backend), I want authentic unified management and vpn access.

  For example, I have two groups in ACS (mapping AD): Admins, VPN access.

  I wish that Admins have full access (shell, VPN) and "Access VPN" only vpn, without shell of any kind.

  I understand how to do with RADIUS - use 'Service-type' and network access profile, but how to do it with GANYMEDE +?

  There is something

  I explained to him almost the same scenario in the post of 2008

  https://Cisco-support.hosted.Jivesoftware.com/message/853751#853751

  To achieve this, you should have even ASA added to GANYMEDE and RADIUS AAA cleint.

  

  Since you want to group admin must have FULL access so don't change anything on this group.

  Now vpnaccess Group on ACS must have only access to the VPN, then here you need to implement IP-based NAR

  Go into the setup of the Group > ip based NAR

  

  I hope this helps.

  Rgds, jousset

  Note the useful posts ~

• Nexus, authorization to order with GANYMEDE.

  Hello.

  Can anyone provide an example of configuration to use Cisco Secure ACS 4.2 to enable permission to order with GANYMEDE.

  Thank you.

  Kind regards.

  Andrea

  Hello Andrea,

  We moved to GBA 5.3 now - but we had our 5520 Nexus running against our old 4.2 ACS before this - so I chose the relevant bits of the config below:

  username admin password network-admin role; user local administrator

  feature Ganymede +; turn on Ganymede

  radius-server host key; set the key for RADIUS server
  AAA server Ganymede group + Ganymede; create the group called "Ganymede".
  Server; set the IP address of the RADIUS server
  the vrf use management; tell him to use the default 'management' vrf to send queries for Ganymede
  source-interface mgmt0;... .and send mgmt interface

  AAA authentication login default group Ganymede; Use Ganymede for auth login
  AAA authentication login console Group Ganymede; Use Ganymede for auth login console
  AAA authorization config-commands by default local group Ganymede; use Ganymede for permission to config command
  AAA authorization by default Ganymede local group orders; use Ganymede for normal control authorization
  Default accounting AAA group Ganymede; Send documents to Ganymede

  I hope that works for you!

  (This may change a bit, when you move to ACS 5.x - that we chose not to do complex auth command (using only shell profiles) to remedy this you go back as a nexus for the 5 k - and it makes the command auth (operator network vs network-admin) based on the one - if you just do not configure authorization to order aaa on the 5 k)

  Rob...

• Management user for WLC via LDAP Possible?

  Hi guys, just like the title suggests

  Correct me if wrong Im:

  The two GANYMEDE + and RADIUS can be used to access right management WLC?
  Well how about you for LDAP? (In fact my answer to this is 'not possible', but I just want you to)

  so is LDAP for managing the access to WLC supported?

  If you look at the options when adding a RADIUS or radius server on a WLC is a checkbox for managing it to the admins to log on to each server radius or Ganymede, it has no option to do this with LDAP. When an administrator connects to a WLC using radius or Ganymede wil server sends a specific response saying that the admin can do (read only, read/write), LDAP does not as far as I know do that.

  Hope this helps

• AS5300 connection with any random userid and password

  Hello

  A bit of an odd request, I know, but is it possible to get an AS5300 to enter a user name and password for dial access but to accept random data that are entered in these areas. This should allow any user to connect if they have a valid user name or password.

  I entered in what follows.

  AAA to local USERS & TUNNELS ppp authentication no

  If I use a local user name, it works very well but a random generates the following text.

  Harbour_Ex_as01 #.

  * Jun 16 02:45:39.092 TSB: % ISDN-6-CONNECT: Serial1:30 of the Interface is connected to n/a n/a

  * 02:45:58.661 June 16 TSB: % LINK-3-UPDOWN: Interface Async126, changed State to

  * Jun 16 02:45:58.661 EST: As126 PPP: treatment of connection as a dedicated line

  * Jun 16 02:46:00.429 EST: As126 PAP: I AUTH-REQ id 29 len 30 'richarddfsdfsdf '.

  * Jun 16 02:46:00.429 EST: As126 PAP: authenticate peer richarddfsdfsdf

  * 02:46:00.429 June 16 TSB: AAA: analyze name = Async126 BID type = 10 ATS = 126

  * Jun 16 02:46:00.429 TSB: AAA: name = Async126 flags = 0 x 11 type = 4 shelf = 0 = 0 = 0 = 126 = 0 channel port adapter slot

  * 02:46:00.429 June 16 TSB: AAA: analyze name = Serial1:30 BID type = 13 = - 1 ATS

  * 02:46:00.429 June 16 TSB: AAA: name = Serial1:30 flags = 0 x 51 type = 1 shelf = 0 = 0 = 0 = 1 = 30 channel port adapter slot

  * 02:46:00.429 June 16 TSB: AAA/MEMORY: create_user (0x6242F3E0) user = "richarddfsdfsdf" ruser = "port ="Async126"rem_addr =" async/08453500050 ' authen_type = service PAP = PPP priv = 1 ".

  * Jun 16 02:46:00.429 TSB: AAA/AUTHENTIC/START (116733842): port = list "Async126" = "USERS & TUNNELS" action = LOGIN service = PPP

  * 02:46:00.429 June 16 TSB: AAA/AUTHENTIC/START (116733842): found list USERS & TUNNELS

  * 02:46:00.429 June 16 TSB: AAA/AUTHENTIC/START (116733842): method = LOCAL

  * 02:46:00.429 June 16 TSB: AAA/AUTHENTIC (116733842): status = ERROR

  * 02:46:00.429 June 16 TSB: AAA/AUTHENTIC/START (116733842): method = NONE

  * 02:46:00.433 June 16 TSB: AAA/AUTHENTIC (116733842): status = PASS

  * Jun 16 02:46:00.433 EST: As126 PAP: O AUTH-NAK id 29 len 28 msg is '% authorization has failed."

  * 02:46:00.433 June 16 TSB: AAA/MEMORY: free_user (0x6242F3E0) user = "richarddfsdfsdf" ruser = "port ="Async126"rem_addr =" async/08453500050 ' authen_type = service PAP = PPP priv = 1 ".

  * 02:46:01.197 June 16 TSB: % ISDN-6-DISCONNECT: Interface Serial1:30 disconnected from the unknown, call lasted 22 seconds

  * 02:46:03.677 June 16 TSB: % LINK-5-CHANGED: Interface Async126, changed State to reset

  * 02:46:08.685 June 16 TSB: % LINK-3-UPDOWN: Interface Async126, changed State to down

  Any help much appreciated.

  Thank you

  Richard

  I see at least two ways to allow anyone on the 5300 router any username and/or password.

  The first and easiest is to remove the telephone line ppp authentication command. This will allow anyone to dial on the machine without checking the ID and password. I believe that this will allow them in without the router generates a demand for ID, but that wasn't a big problem because most of the time invites it is generated by the PC before dialing in any case. It may matter is the user using the terminal window after dial where the prompt IS generated by the router.

  The second and more complicated are based on the fact that there are several methods of authentication that can be specified for ppp, including Ganymede +, radius, local and no. You can configure the authentication of ppp with Ganymede + or RADIUS as the main method and 'none' as the backup and run the Ganymede + or RADIUS to a non-existent server. This would cause the 5300 attempt to authenticate on the Ganymede + or RADIUS and when that got no response, he would let the user. I can't guarantee that this would generate a command prompt, but the same remarks apply as in the previous paragraph on why he cannot question.

• CSM 4.1 - ASA desfichiersde configuration backup via TFTP

  I'm fairly new to WSC, so this may be a matter of newbee.  In the "old days" we would write mem to save the current configuration to run at startup, and then write net to save the running configuration to a file defined on a TFTP server.  But now that we use the CSM, there is no net write function that happens during the process of deployment of a change to the config.  The actual configuration is saved to the CSM somewhere since we actually changes him before deploying a change, right?  But this isn't in a format where I could replace an ASA failed by "copy startup-config tftp?

  I read where you can "Preview settings", and then copy / paste the configuration 'ASA (Full)', but there is one major flaw in this plan.  The displayed output mask all passwords. I.e. allow, passwd, Ganymede + and radius key, local user name password.  Next to s, copy/paste ever was the best option to set up initially, or to replace a failed unit.  You just hope the running configuration is not interfere with what you paste. (The factory for DHCP Config comes to mind).

  Is there a function where I can export the entire configuration in a file that matches the full boot configuration?  Or, is there a function I could afford to have SAA periodically "Net Write?"

  You can configure a FlexConfig to one or several ASAs in order to run the command copy before and/or after a surge in config.  I just tested this on my server MCS 4.2 and it worked.  You will want to use the /noconfirm option so that the terminal does not have interactive guests to the CSM.

  

• registration of ip addresses and usernames of routers

  Hello

  Without AAA services, using the class-"refuse any newspaper" unde access, I can connect attempts trying to telnet to the router IP addresses.

  Can I connect also down the user name the user name successful without using a GANYMEDE + or RADIUS server?

  Can I use the local database to do the job?

  Hello!

  Cant No.. U. either you use GANYMEDE + nor Raidus for successful connections of username. With the help of Ganymede + and radius, you can map the local database on these servers.

  HTH.

  Rgds

  Vimal

• CiscoSecure ACS 4.2 could not start due to failure of the services start bit

  There are few services that wasn't able to restart, they are as follows:-

  (1) CSAuth

  Error:-"Windows could not start the csauth on local computer. For more information, see the system event log. If it is

  a non-Microsoft service, contact the service vendor and refer to service 1060 "specific error code

  (2) CSTacacs

  Error:-"Windows failed to start the cstacacs on the local computer. For more information, see the system event log. If it is

  a non-Microsoft service, contact the service vendor and refer to service 1066 "specific error code

  (3) CSRadius = start

  the rest of services like CSAdmin, CSDbSync, case were lit.

  Also I am not able to take the acs system backup of the System Configuration-> ACS Backup and pressing backup now. It shows the msg of error as

  : - CSAuth service must be running to start the backup

  I was referring to the snapshots of the OS itself, but I guess you checked now.

  Do not forget that the case works so you should see logs for services that do not work. Learn about the \CSAuth\logs folder for logs CSAuth and other records for other services that do not work.

  There is a located here very detailed troubleshooting guide:

  http://www.Cisco.com/c/en/us/TD/docs/net_mgmt/cisco_secure_access_contro...

  This guide should help you solve the question if there is no other software on the server to cause trouble. One thing it says who can apply to you is to ensure that the Windows Firewall as connection sharing Internet is not ongoing.

  Because I am familiar with your server, I think you should do the quick test below for if sure there are not taken, which may be crashing the authentication services that you mentioned. In the command line, type "netstat - ano | Findstr Listening-i"and see if or not he has taken open your ports Ganymede + and radius. He will probably return false, but it's worth a check.

  Worst case scenario, you may be able to use CSUtil to back up the database (I'm fairly certain you can back up services that work), install the ACS on a new Windows 2003 server, and then restore. You can use CSUtil to many types of exports and operations as well.

  If you manage to deal with the problem or not, you should speak with the person who is responsible for making backups of your servers and make sure that something like this was coming once again that you can have a quick fix during a maintenance window.