http using aaa authentication when Ganymede server is down

Similar Questions

• HTTPS ASA AAA authentication rules prompt

  I'm trying to configure a simple rule of AAA in my lab to allow access to the internet web server via authentication GANYMEDE + (see attached configuration).

  This Setup seems to work fine when the authentication prompt is displayed using http, while the https login page seems to have some problems with a certificate error recognized from the browser with the message: SSL_ERROR_BAD_MAC_READ

  It seems that https login page redirection is not allowed due to server address certificate incompatibility.

  Advice and suggestions will be greatly appreciated.

  Seems to be a known issue.

  https://BST.cloudapps.Cisco.com/bugsearch/bug/CSCus27650/?reffering_site...

  Kind regards

  Jousset

  ~ Make rate of useful messages.

• Server 2008 r2 domain through IP locations & Internet Connectivity when domain server (internet down instead)

  Sorry for the long title: p

  I recently picked up a non-profit operations in the city with offices in three locations in the city.

  We have a network domain server and exchange server at the main office where I work, and the computers in the other two offices are on the field.

  (I guess that VPN configurations in our routers keep everything connected, but maybe I'm wrong on this issue..)

  My problem is that when the internet at the office of the admin (where the servers are) breaks down, desktop to other locations have DNS problems and cannot connect to internet... and personal devices connected to WiFi that I provide to these places are struggling as well, being able to access only certain sites and sometimes no access at all.

  I think many computers to assign IP addresses, although I have added computers I have built and/or formatted and installed myself that work very well on the field.

  Why computers to the other localities are struggling to DNS and impossible to connect to the internet when the domain server is offline? What can I do to change this? I want our employees to always have internet access if the servers log.

  (Being a non-profit in this city it is the COMPUTER with most of the companies not having budget do not)

  The problem was the result of a secondary DNS server is not located in the router from the same place. My computer guy said Comcast as the secondary where the main DNS (my domain controller) server is not available... problem solved :)

• Direct connection on the desktop - clients still losing access when the server goes down or rebooted service

  I set up the connection to the server with a link Direct is TICKING, I did that once the initial connection has been made for the broker and an assigned desktop computer, connect directly to the desktop and so not care about the State of the connection to the server. After restart or just restart the VMware View Server service all customers lost access until it is facing up.

  Is it right, that we use View 3.1.

  Thank you

  It's strange that I can restart my server connection without worrying about all the users.   How brokers connection you have and do you have activated all at direct connection?

  If you have found this device or any other useful post please consider the use of buttons useful/correct to award points

• Excluding the lines of Terminal Server in the AAA authentication

  Hi all

  Hope you can help, I'm trying to find a solution to exclude only the following line port by using the AAA authentication (ACS GANYMEDE +) on a map of Terminal Server on a Cisco 2600 router.  Does anyone know how to do this, or point me in the right direction to solve?

  I've included the output below:

  AAA authentication login default group Ganymede + local
  AAA authorization exec default group Ganymede + local
  AAA accounting exec default start-stop Ganymede group.
  AAA accounting network default start-stop Ganymede group.
  AAA accounting default connection group power Ganymede
  AAA accounting system default start-stop Ganymede group.
  AAA - the id of the joint session

  line 41
  session-timeout 20
  decoder location - XXXXXX XXXXXX BT
  No banner motd
  No exec-banner
  absolute-timeout 240
  Modem InOut
  No exec
  transport of entry all
  StopBits 1
  Speed 38400

  Is it a question of disabling the command line or using a defined group?

  Thanks a lot for your help.

  Jim.

  Hi Jim

  You may need to create another group for authentication to the and send your AAA configuration

  line to 0

  connection of authentication aux_auth

  AAA authentication login aux_auth line

  You can also configure a username local/pw and map it on the group to here...

  Console and telnet would still use the configured default group, or you can specify specific groups:

  Line con 0

  console login authentication

  line 4 vty0

  vty authentication login

  and specify the aaa authentication settings individually...

  I hope this helps... all the best

  REDA

• Authentication/authorization GANYMEDE + based on the subnet of the user

  Hi guys/girls

  We have number of speeds of production, which are configured with Ganymede cisco + and all their work very well. But now I have an obligation to implement SSH-ver2 across the network, consist of about 8000 cisco gear.

  I need to develop a proof of concept (POC), that activate SSH to gears production will not affect Ganymede + existing and authorized user authentication.

  In our lab cisco gear, it was already configured with Ganymede + production for authentication and authorization server. Now, I am allowed to test SSH on these machines in the lab but I without disrupting other users who use the same laboratory-gears.

  So, I want to activate SSH version 2 on these machines in lab-however, when the user from a certain specific subnet, this user must be authenticated and authorized by the LABORATORY Ganymede +, but no production Ganymede +, however please note that lab-gears, that I'm testing with also already configured for production Ganymede + server as well. These devices in the laboratory must be able to do authentication and authorization of two different Ganymede + server based on subnet of users that he or she coming.

  Is - this plan is feasible? I am looking for documentation to implement the test of this method, is not successful.

  Your comments will be appreciated and evaluated.

  Thank you

  Rizwan James

  Adely,

  It won't work, the Ganymede authentication begins once the ssh connection is established, the n (router or switch) will open a Ganymede connection and send the start indicator to the RADIUS server in which the 'getusername' message is sent from the RADIUS server to the device and the user terminal. You cannot create an acl in order to choose which Ganymede servers you can authenticate either. When it comes to authenticate users from a specific subnet to a server specific RADIUS which is not the design of Ganymede, when you configure multiple servers in a group is to ensure high availability such that when a Ganymede server goes down you have a secondary school continue with authentication requests from the.

  Here is an example of how the RADIUS authentication is performed.

  http://www.Cisco.com/en/us/Tech/tk59/technologies_tech_note09186a0080094e99.shtml#comp_traffic

  Thank you and I hope this helps.

  Tarik Admani
  * Please note the useful messages *.

• password by default when the server is inaccessible

  Hi, I recently configured AAA. When the server is running everything is fine, but when the server is inaccessible, I'm locked up. How can I put on a default user name and password when the server is inaccessible

  Thank you

  James

  There are several ways to configure AAA so that you are not locked if the server is not available. You can use a username that is configured locally, as you suggest here, or you can use the configured line passwords.

  To use a locally configured user your configuration might look like this:

  rick user password Cisco

  AAA authentication login default group Ganymede + local

  Or, to use the online passwords as a backup of your config might look like this:

  AAA authentication login default group Ganymede + line

  You also probably need a backup to access the privilege mode. This is done usually by using the configured locally enable secret. To do this configuration might look like this:

  the AAA authentication enable default group Ganymede + activate

  HTH

  Rick

• The AAA authentication & accounting using the command of Ganymede-orders

  In the page of the cisco Remote Access Companion guide 394 book we got these configuration lines:

  RTA (config) #tacacs - server host 192.168.0.11

  RTA (config) #tacacs - host 192.168.0.12 server

  RTA (config) #tacacs - server key topsecret

  RTA (config) #aaa new-model

  Ganymede + RTA (config) #aaa authentication login default group

  If I want to add to the configuration above, the following command:

  RTA (config) #aaa accounting connection defult stop / start Ganymede +.

  Is it necessary that the above lines be in a specific order when I configure the RTA?

  No, the order in which you enter commands doesn't matter.

• 2611XM Terminal Server + ACS + new authentication when selecting menu options

  Hello

  I managed to configure ACS authentication on my 2611xm router,

  After you connect to the router, I have an autocommand configuration to run a menu.

  My problem is when you select the option in the menu,

  You are then re invited to reauthenicated against the router before connecting to the line,

  can someone tell me how to prevent it.

  Thank you for your time and effort in advance, I have attached a config below.

  DDRAS01 #sh running-config

  Building configuration...

  Current configuration: 6854 bytes

  !

  ! Last modification of the configuration at 10:28:49 GMT Sunday, February 21, 2010 by

  !  NVRAM config update at 19:25:53 GMT Saturday, February 20, 2010 by

  !

  version 12.4

  horodateurs service debug datetime msec

  Log service timestamps datetime msec

  encryption password service

  Service linenumber

  sequence numbers service

  !

  hostname DDRAS01

  !

  boot-start-marker

  boot-end-marker

  !

  Security of authentication failure rate 3 log

  Passwords security min-length 6

  logging buffered 51200 informational

  record of the rate-limit all 10000

  recording console critical

  enable password 7

  !

  AAA new-model

  !

  !

  AAA authentication login default group Ganymede + local

  AAA authentication login if_needed local

  the AAA authentication enable default

  AAA of authentication ppp default local

  AAA authorization exec default group Ganymede + local authenticated by FIS

  AAA accounting exec default start-stop Ganymede group.

  orders accounting AAA 15 by default start-stop Ganymede group.

  !

  AAA - the id of the joint session

  clock timezone WAS 10

  summer time clock WAS recurring last Sun Oct 02:00 last Sun Mar 03:00

  no location network-clock-participate 1

  No network-clock-participate wic 0

  IP cef

  !

  !

  !

  !

  list of IP domains

  list of IP domains

  IP domain name

  the IP 2033 172.16.1.1 host dd-cr-01F

  ddsws01 host IP 172.16.1.1 2034

  ddsws04 host IP 172.16.1.1 2035

  ddce565 host IP 172.16.1.1 2040

  IP-name server

  IP-name server

  !

  !

  !

  password username d ' operators 15 7 privilege

  !

  !

  property intellectual ssh source interface FastEthernet0/0

  property intellectual ssh event logging

  property intellectual ssh version 2

  !

  !

  interface Loopback0

  IP 172.16.1.1 255.255.255.255

  !

  interface FastEthernet0/0

  IP 255.255.255.0

  Speed 100

  full-duplex

  !

  interface Serial0/0

  no ip address

  Shutdown

  !

  interface BRI0/0

  no ip address

  encapsulation hdlc

  Shutdown

  !

  interface FastEthernet0/1

  no ip address

  Shutdown

  automatic duplex

  automatic speed

  !

  IP forward-Protocol ND

  IP route 0.0.0.0 0.0.0.0

  !

  IP http server

  no ip http secure server

  Ganymede IP source interface FastEthernet0/0

  !

  radius of the IP source interface FastEthernet0/0

  exploitation forest installation local6

  logging

  SNMP-server RO community

  SNMP-server RW community

  SNMP server location

  contact Server SNMP d ' operators

  !

  title of menu ddras01 ^ C

  Server Terminal Server for Cisco

  Select number from the list below

  Use "ctrl + shift + 6" then 'x' to switch to the menu

  ^ C

  text of ddras01 to menu 1 connect to the DD-CR-01

  order of menu 1 ddras01 resume JJ-cr-01 / dd-cr-01 2033 telnet connection

  ddras01 text menu 2 connect to DDSWS01

  order of menu 2 ddras01 resume ddsws01 / ddsws01 2034 telnet connection

  text menu 3 ddras01 connect to DDSWS04

  order of menu 3 ddras01 resume ddsws04 / ddsws04 2035 telnet connection

  text menu 8 ddras01 connect to DDCE565

  order of menu 8 ddras01 resume ddce565 / ddce565 2040 telnet connection

  menu 9 ddras01 text output

  menu ddras01 command menu-exit 9

  ddras01 menu clear-screen

  menu ddras01-status line

  menu-ddras01 line mode

  radius-server host 10.2.0.50

  RADIUS-server application made

  radius-server key 7

  !

  control plan

  !

  privilege exec 15 level write terminal

  writing level 15 privileges exec

  Ping privileges exec level 1

  privilege exec 10 undebug ip icmp level

  privilege exec 10 undebug ip level

  level of privilege exec 10 undebug all

  privilege exec 10 undebug level

  terminal monitor exec level 10 privileges

  privilege exec 10 level terminals

  privilege exec 15 level show running-config

  See configuration at the privileged exec level 5

  show privileges exec level 5

  privilege exec 10 debug ip icmp level

  privilege exec level 10 debug ip

  privilege exec 10 level debug all

  debugging privileges exec level 10

  clear interface of privileges exec level 10

  clear counters at level 10 privilege exec

  level of privilege exec 10 clear

  !

  Line con 0

  password 7

  Synchronous recording

  line 33 64

  No exec-banner

  exec-timeout 0 0

  no activation-character

  No exec

  preferred transport telnet

  transport of entry all

  character of exhaust-27

  StopBits 1

  FlowControl hardware

  line to 0

  line vty 0 4

  password 7

  Synchronous recording

  ddras01 menu autocommand

  line vty 5 181

  password 7

  Synchronous recording

  ddras01 menu autocommand

  !

  NTP-period clock 17208487

  source NTP FastEthernet0/0

  NTP server

  end

  Hello

  You have aaa login default configured for authentication, with this you get invited

  When you try to access the line.

  Under line VTY 5 181 try adding:

  authentication of the connection /NOAUTH

  exec authorization /NOAUTH

  Add the lines of aaa:

  /NOAUTH AAA authentication login no

  /NOAUTH AAA authorization exec no

  This should stop the authentication to the lines.

  -Jesse

• GANYMEDE + Queueing AAA authentication

  Hello

  I've recently updated the IOS on my 3560 X 15.0 (2) SE3 and I can't get GANYMEDE works correctly. It worked properly on this device until I updated the IOS so I don't know what happened. I've made a few other changes as well (management IP change and clean the other config) so I'm not 100% sure what the issue was with the IOS. I have this same exact config on several other Cisco devices and it works fine. Any thoughts are appreciated.

  Config:

  AAA authentication login default group Ganymede + local

  AAA authorization exec default group Ganymede + local

  Ganymede IP source interface Vlan1

  radius-server host

  Ganymede IP source interface Vlan1
  GANYMEDE-server host 10.x.x.x key *.

  Debugs:

  MORE: Queuing request authentication AAA 88 for the treatment

  I never spent queuing. I can't find a way to clear the queue either.

  I have to disable the uplink port and reboot the switch to not even enter the port of the console. At this point, I get 1 authentication attempt (debugging below) before entering the queue messages.

  21:34:36.864 Mar 29 CDT: % LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed State to

  21:40:48.068 Mar 29 CDT: MORE: Queuing AAA request authentication 47 for the treatment

  21:40:48.068 Mar 29 CDT: HIGHER: processing id authentication of demand beginning 47

  21:40:48.068 Mar 29 CDT: MORE: authentication start package created for 47(**USERNAME**)

  21:40:48.068 Mar 29 CDT: MORE: using the 10.x.x.x server

  21:40:48.068 Mar 29 CDT: HIGHER (0000002F) / 0/IDLE/68F4CBC: started 5 sec timeout

  21:40:48.077 Mar 29 CDT: HIGHER (0000002F) / 0/IDLE/68F4CBC: got immediately connect on the new 0

  21:40:48.077 Mar 29 CDT: HIGHER (0000002F) / 68F4CBC/WRITING/0: started 5 sec timeout

  21:40:48.077 Mar 29 CDT: T +: 192 (0xC0) Version, type 1, seq 1, encryption 1, SC 0

  21:40:48.077 Mar 29 CDT: T +: session_id 912650955 (0x3665F2CB), dlen 32 (0x20)

  21:40:48.077 Mar 29 CDT: T +: type: AUTHENTIC / START, priv_lvl:1 action: ascii LOGIN

  21:40:48.077 Mar 29 CDT: T +: svc:LOGIN user_len:11 port_len:4 (0x4) raddr_len:9 (0 x 9) data_len:0

  21:40:48.077 Mar 29 CDT: T +: user: (* USERNAME *)

  21:40:48.077 Mar 29 CDT: T +: port: tty1

  21:40:48.077 Mar 29 CDT: T +: rem_addr: 10.y.y.y

  21:40:48.077 Mar 29 CDT: T +: data:

  21:40:48.077 Mar 29 CDT: T +: end of packet

  21:40:48.077 Mar 29 CDT: HIGHER (0000002F) / 0/WRITING: write to 10.x.x.x failed with errno 257 ((ENOTCONN))

  21:40:48.077 Mar 29 CDT: MORE: authentication start package created for 47(**USERNAME**)

  21:40:48.077 Mar 29 CDT: HIGHER (0000002F): start write failed

  21:43:01.976 Mar 29 CDT: % SYS-5-CONFIG_I: configured from console by dcmorris on console

  21:43:08.057 Mar 29 CDT: MORE: Queuing AAA request authentication 48 for the treatment

  21:45:24.842 Mar 29 CDT: MORE: Queuing AAA request authentication 49 for the treatment

  21:48:52.494 Mar 29 CDT: MORE: Queuing AAA asks 50 for processing authentication

  You might want to take a look here

  https://supportforums.Cisco.com/message/3965551#3965551

  Jatin kone

  -Does the rate of useful messages-

• the AAA authentication enable default group Ganymede + activate

  I implement CSACS 4.0. First of all on the client, I will apply aaa authenticatio / authorization under vty. The issure if I use the followin command

  the AAA authentication enable default group Ganymede + activate

  What happens if I connect via the console? I need to enter a name of user and password?

  Here is my configuration

  AAA new-model

  Group authvty of connection authentication AAA GANYMEDE + local

  the AAA authentication enable default group Ganymede + activate

  authvty orders 15 AAA authorization GANYMEDE + local

  RADIUS-server host IP

  Radius-server key

  Ganymede IP source interface VLAN 3

  AAA accounting send stop-record an authentication failure

  AAA accounting delay start

  AAA accounting exec authvty start-stop group Ganymede +.

  orders accounting AAA 15 authvty power group Ganymede +.

  AAA accounting connection authvty start-stop group Ganymede +.

  line vty 0 15

  connection of authentication authvty

  authorization orders 15 authvty

  authvty connection accounting

  accounting orders 15 authvty

  accunting exec authvty

  Any suggestion will be appreciated!

  It should work because it is a guest message.banner whenever you try to connect (console/vty). I set it up on my router.

  If you have banner motd, it will appear as well (see below). So, I have to remove it to get only the aaa banner & prompt is displayed:

  ************************************************************

  Username: cisco, password: cisco (priv 15f - local) *.

  ************************************************************

  Any unauthorized use is prohibited.

  Enter your name here: User1

  Now enter your password:

  Router #.

  The configuration more or less looks like this:

  AAA new-model

  AAA authentication banner ^ is forbidden to use CUnauthorized. ^ C

  AAA authentication password prompt "enter your password now:

  AAA-guest authentication username "enter your name here:

  Group AAA authentication login default RADIUS

  local authentication AAA CONSOLE connection

  HTH

  AK

• Connection to the SQL Server using Windows authentication

  I would use SQL Developer (v1.5) to connect to an instance of SQL Server 2005 uses windows authentication. I downloaded jtdw - 1.2.jar and set its e path as a preference in the TOOLS\Preferences Database\Third Party JDBC Driver dialog box.
  
  I was able to connect to SQL Server 2005 successfully if I use SQL authentication and provide a user_id and password.
  
  It is my preference to use windows for connection authentication. However, when I try to connect, I get the following error:
  
  Failure - i/o Error: library of native SSPI is not SSO unloaded. Check the system java library path property
  
  I have no idea what it means. I'm not a java programmer and I am very new to Oracle in general if someone can give me some guidance right ahead as to what lack me?
  
  Thank you

  After reading the thread referenced by Jim Smith (thanks!), I wanted to copy the information in this topic... and update to say that these same steps for SQLDeveloper 1.5.1 & SQL Server 2005. Don't miss step 5, if you want to enable NT authentication.

  {Of referenced post}

  SQL Developer for MS SQL SERVER 2000 Setup

  (1) install/extract SQL Developer 1.2.1 in C:\Program Files\Oracle
  Do {$sqldevhome} = C:\Program Files\Oracle\sqldeveloper

  (2) get the Pluggin JDBC SQL SERVER (jtds - 1.2.2 - dist.zip) of:
  http://sourceforge.NET/project/showfiles.php?group_id=33291&package_id=25350

  (3) unpack jtds - 1.2.2 - dist.zip
  Created: jtds - 1.2.2.jar
  \x86\SSO\ntlmauth.dll

  (4) copy the jtds - 1.2.2.jar in:
  {$sqldevhome} \jlib directory.

  (5) copy the dll in the \x86\SSO subdirectory ntlmauth.dll in:
  {$sqldevhome}\jdk\jre\bin\ntlmauth.dll

  (6) with SQL Developer:
  Go to the Menu 'tools '.
  -Preferences...
  Expand the "[+] database
  Choose "third-party JDBC Drivers.
  Click on 'add an entry '.
  Then locate your copy of '{$sqldevhome}\jlib\jtds-1.2.2.jar '.
  Note: Use the name of the jar file, not its parent for the input directory.

  7-restart SQL Developer and try your SQL Server 2000 (or SQL Server 2005) link

• RIO crashes when you use tcp communication and web server

  Hello

  my controller cRIO crashes after a short time (usually less than a minute), when I use simultaneously to the web server (to interact with a remote control) and make some tcp communication (using STM 2.0 library) for data logging. Is it a problem of overall performance of the controller, or a problem of band network bandwidth (I'm happy to send some values every 100ms), or a programming problem; in the latter case, what should I do to make the system more stable?

  Kind regards

  PS: I use a cRIO 9022 with LV 2009f2 + RT and NOR-RIO 3.3.0

  Hello

  You can try with a simple while loop + delay instead of loop timed for TCP communication loop.

  Concerning

• How to save the password encrypted in the database using database authentication (weblogic server)

  Hi Experts,

  JDEV version 11.1.1.7.0

  I have a usecase where I use database authentication in my Application.

  However if I save the module to record user password. Its economy without encryption. Can U suggest how can I do this

  Thank you

  Roy

  Please see

  https://docs.Oracle.com/CD/E16162_01/user.1112/e17455/dev_secure_apps.htm#OJDUG1168

• Connect to SQL Server using Windows authentication

  Allows us to connect to the SQLServer database via dblink using authentication SQL Server (Oracle 10 g DB on Windows server) HS, sqlserver db is moved to a new server and there it is configured to use Windows authentication only. Is it possible to use the dblink/HS with Windows authentication on the side of SQLServer? Oracle support answer is no, but I thought I'd ask around...
  
  Thank you!
  
  Published by: user11968137 on March 28, 2013 11:42

  Gateway for ODBC 10 g or 11g is supported only with SQL Server, not Windows authentication authentication.

  If your SQL Server is configured only for authentication on Windows, you have no other way to change the configuration of the SQL Server to support mixed Mode (Windows authentication and SQL Server authentication).

  Kind regards

  Mireille-