http using aaa authentication when Ganymede server is down
I installed AAA using Ganymede and everything works well except for authentication http through a browser or a network Assistant when the RADIUS server is down. For console and telnet connections, the default authentication line when Ganymede is out of service.
AAA new-model
AAA authentication login default group Ganymede + line
AAA authorization exec default group Ganymede + authenticated if
AAA accounting update newinfo
AAA accounting exec default start-stop Ganymede group.
only AAA 0 default stop accounting controls group Ganymede +.
only AAA 1 default stop accounting controls group Ganymede +.
accounting AAA commands default 15 stop only Ganymede group.
!
aaa IP http authentication
!
radius-server host 10.161.161.20
111111 radius-server key
It must be something with the fact that on http or ANC, it connects to the router at level 15, but I have played with all sorts of orders of different authorization and cannot operate.
Paul
What you want to do for authentication if the RADIUS server is down? For telnet and console access you can use the line as a backup method because it is possible to configure a password for the line on the console and vty ports. Which type of backup method you want for HTTP? The one that seems most logical to me would be to a local authentication in order to cover the situation where the server is down.
To use local authentication, you must do the following:
-create a definition of the local user (maybe more if you need extended security).
-specify a special method for authentication of the aaa.
-specify that http, using the special method.
The configuration might look like this:
password user tech1 tech1
AAA authentication login http_auth group Ganymede + local
IP http authentication aaa - authentication of the connection http_auth
Or you can decide to use the secret to activate (or password that is configured in office). The config might look like this:
AAA authentication login http_auth group Ganymede + activate
IP http authentication aaa - authentication of the connection http_auth
If you want a different backup method, let us know what it is and we'll see how it could be implemented.
HTH
Rick
Tags: Cisco Security
Similar Questions
-
HTTPS ASA AAA authentication rules prompt
I'm trying to configure a simple rule of AAA in my lab to allow access to the internet web server via authentication GANYMEDE + (see attached configuration).
This Setup seems to work fine when the authentication prompt is displayed using http, while the https login page seems to have some problems with a certificate error recognized from the browser with the message: SSL_ERROR_BAD_MAC_READ
It seems that https login page redirection is not allowed due to server address certificate incompatibility.
Advice and suggestions will be greatly appreciated.
Seems to be a known issue.
https://BST.cloudapps.Cisco.com/bugsearch/bug/CSCus27650/?reffering_site...
Kind regards
Jousset
~ Make rate of useful messages.
-
Sorry for the long title: p
I recently picked up a non-profit operations in the city with offices in three locations in the city.
We have a network domain server and exchange server at the main office where I work, and the computers in the other two offices are on the field.
(I guess that VPN configurations in our routers keep everything connected, but maybe I'm wrong on this issue..)
My problem is that when the internet at the office of the admin (where the servers are) breaks down, desktop to other locations have DNS problems and cannot connect to internet... and personal devices connected to WiFi that I provide to these places are struggling as well, being able to access only certain sites and sometimes no access at all.
I think many computers to assign IP addresses, although I have added computers I have built and/or formatted and installed myself that work very well on the field.
Why computers to the other localities are struggling to DNS and impossible to connect to the internet when the domain server is offline? What can I do to change this? I want our employees to always have internet access if the servers log.
(Being a non-profit in this city it is the COMPUTER with most of the companies not having budget do not)
The problem was the result of a secondary DNS server is not located in the router from the same place. My computer guy said Comcast as the secondary where the main DNS (my domain controller) server is not available... problem solved :)
-
I set up the connection to the server with a link Direct is TICKING, I did that once the initial connection has been made for the broker and an assigned desktop computer, connect directly to the desktop and so not care about the State of the connection to the server. After restart or just restart the VMware View Server service all customers lost access until it is facing up.
Is it right, that we use View 3.1.
Thank you
It's strange that I can restart my server connection without worrying about all the users. How brokers connection you have and do you have activated all at direct connection?
If you have found this device or any other useful post please consider the use of buttons useful/correct to award points
-
Excluding the lines of Terminal Server in the AAA authentication
Hi all
Hope you can help, I'm trying to find a solution to exclude only the following line port by using the AAA authentication (ACS GANYMEDE +) on a map of Terminal Server on a Cisco 2600 router. Does anyone know how to do this, or point me in the right direction to solve?
I've included the output below:
AAA authentication login default group Ganymede + local
AAA authorization exec default group Ganymede + local
AAA accounting exec default start-stop Ganymede group.
AAA accounting network default start-stop Ganymede group.
AAA accounting default connection group power Ganymede
AAA accounting system default start-stop Ganymede group.
AAA - the id of the joint sessionline 41
session-timeout 20
decoder location - XXXXXX XXXXXX BT
No banner motd
No exec-banner
absolute-timeout 240
Modem InOut
No exec
transport of entry all
StopBits 1
Speed 38400Is it a question of disabling the command line or using a defined group?
Thanks a lot for your help.
Jim.
Hi Jim
You may need to create another group for authentication to the and send your AAA configuration
line to 0
connection of authentication aux_auth
AAA authentication login aux_auth line
You can also configure a username local/pw and map it on the group to here...
Console and telnet would still use the configured default group, or you can specify specific groups:
Line con 0
console login authentication
line 4 vty0
vty authentication login
and specify the aaa authentication settings individually...
I hope this helps... all the best
REDA
-
Authentication/authorization GANYMEDE + based on the subnet of the user
Hi guys/girls
We have number of speeds of production, which are configured with Ganymede cisco + and all their work very well. But now I have an obligation to implement SSH-ver2 across the network, consist of about 8000 cisco gear.
I need to develop a proof of concept (POC), that activate SSH to gears production will not affect Ganymede + existing and authorized user authentication.
In our lab cisco gear, it was already configured with Ganymede + production for authentication and authorization server. Now, I am allowed to test SSH on these machines in the lab but I without disrupting other users who use the same laboratory-gears.
So, I want to activate SSH version 2 on these machines in lab-however, when the user from a certain specific subnet, this user must be authenticated and authorized by the LABORATORY Ganymede +, but no production Ganymede +, however please note that lab-gears, that I'm testing with also already configured for production Ganymede + server as well. These devices in the laboratory must be able to do authentication and authorization of two different Ganymede + server based on subnet of users that he or she coming.
Is - this plan is feasible? I am looking for documentation to implement the test of this method, is not successful.
Your comments will be appreciated and evaluated.
Thank you
Rizwan James
Adely,
It won't work, the Ganymede authentication begins once the ssh connection is established, the n (router or switch) will open a Ganymede connection and send the start indicator to the RADIUS server in which the 'getusername' message is sent from the RADIUS server to the device and the user terminal. You cannot create an acl in order to choose which Ganymede servers you can authenticate either. When it comes to authenticate users from a specific subnet to a server specific RADIUS which is not the design of Ganymede, when you configure multiple servers in a group is to ensure high availability such that when a Ganymede server goes down you have a secondary school continue with authentication requests from the.
Here is an example of how the RADIUS authentication is performed.
http://www.Cisco.com/en/us/Tech/tk59/technologies_tech_note09186a0080094e99.shtml#comp_traffic
Thank you and I hope this helps.
Tarik Admani
* Please note the useful messages *. -
password by default when the server is inaccessible
Hi, I recently configured AAA. When the server is running everything is fine, but when the server is inaccessible, I'm locked up. How can I put on a default user name and password when the server is inaccessible
Thank you
James
There are several ways to configure AAA so that you are not locked if the server is not available. You can use a username that is configured locally, as you suggest here, or you can use the configured line passwords.
To use a locally configured user your configuration might look like this:
rick user password Cisco
AAA authentication login default group Ganymede + local
Or, to use the online passwords as a backup of your config might look like this:
AAA authentication login default group Ganymede + line
You also probably need a backup to access the privilege mode. This is done usually by using the configured locally enable secret. To do this configuration might look like this:
the AAA authentication enable default group Ganymede + activate
HTH
Rick
-
The AAA authentication &; accounting using the command of Ganymede-orders
In the page of the cisco Remote Access Companion guide 394 book we got these configuration lines:
RTA (config) #tacacs - server host 192.168.0.11
RTA (config) #tacacs - host 192.168.0.12 server
RTA (config) #tacacs - server key topsecret
RTA (config) #aaa new-model
Ganymede + RTA (config) #aaa authentication login default group
If I want to add to the configuration above, the following command:
RTA (config) #aaa accounting connection defult stop / start Ganymede +.
Is it necessary that the above lines be in a specific order when I configure the RTA?
No, the order in which you enter commands doesn't matter.
-
2611XM Terminal Server + ACS + new authentication when selecting menu options
Hello
I managed to configure ACS authentication on my 2611xm router,
After you connect to the router, I have an autocommand configuration to run a menu.
My problem is when you select the option in the menu,
You are then re invited to reauthenicated against the router before connecting to the line,
can someone tell me how to prevent it.
Thank you for your time and effort in advance, I have attached a config below.
DDRAS01 #sh running-config
Building configuration...
Current configuration: 6854 bytes
!
! Last modification of the configuration at 10:28:49 GMT Sunday, February 21, 2010 by
! NVRAM config update at 19:25:53 GMT Saturday, February 20, 2010 by
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
Service linenumber
sequence numbers service
!
hostname DDRAS01
!
boot-start-marker
boot-end-marker
!
Security of authentication failure rate 3 log
Passwords security min-length 6
logging buffered 51200 informational
record of the rate-limit all 10000
recording console critical
enable password 7
!
AAA new-model
!
!
AAA authentication login default group Ganymede + local
AAA authentication login if_needed local
the AAA authentication enable default
AAA of authentication ppp default local
AAA authorization exec default group Ganymede + local authenticated by FIS
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
!
AAA - the id of the joint session
clock timezone WAS 10
summer time clock WAS recurring last Sun Oct 02:00 last Sun Mar 03:00
no location network-clock-participate 1
No network-clock-participate wic 0
IP cef
!
!
!
!
list of IP domains
list of IP domains
IP domain name
the IP 2033 172.16.1.1 host dd-cr-01F
ddsws01 host IP 172.16.1.1 2034
ddsws04 host IP 172.16.1.1 2035
ddce565 host IP 172.16.1.1 2040
IP-name server
IP-name server
!
!
!
password username d ' operators 15 7 privilege
!
!
property intellectual ssh source interface FastEthernet0/0
property intellectual ssh event logging
property intellectual ssh version 2
!
!
interface Loopback0
IP 172.16.1.1 255.255.255.255
!
interface FastEthernet0/0
IP
255.255.255.0 Speed 100
full-duplex
!
interface Serial0/0
no ip address
Shutdown
!
interface BRI0/0
no ip address
encapsulation hdlc
Shutdown
!
interface FastEthernet0/1
no ip address
Shutdown
automatic duplex
automatic speed
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0
!
IP http server
no ip http secure server
Ganymede IP source interface FastEthernet0/0
!
radius of the IP source interface FastEthernet0/0
exploitation forest installation local6
logging
SNMP-server
RO community SNMP-server
RW community SNMP server location
contact Server SNMP d ' operators
!
title of menu ddras01 ^ C
Server Terminal Server for Cisco
Select number from the list below
Use "ctrl + shift + 6" then 'x' to switch to the menu
^ C
text of ddras01 to menu 1 connect to the DD-CR-01
order of menu 1 ddras01 resume JJ-cr-01 / dd-cr-01 2033 telnet connection
ddras01 text menu 2 connect to DDSWS01
order of menu 2 ddras01 resume ddsws01 / ddsws01 2034 telnet connection
text menu 3 ddras01 connect to DDSWS04
order of menu 3 ddras01 resume ddsws04 / ddsws04 2035 telnet connection
text menu 8 ddras01 connect to DDCE565
order of menu 8 ddras01 resume ddce565 / ddce565 2040 telnet connection
menu 9 ddras01 text output
menu ddras01 command menu-exit 9
ddras01 menu clear-screen
menu ddras01-status line
menu-ddras01 line mode
radius-server host 10.2.0.50
RADIUS-server application made
radius-server key 7
!
control plan
!
privilege exec 15 level write terminal
writing level 15 privileges exec
Ping privileges exec level 1
privilege exec 10 undebug ip icmp level
privilege exec 10 undebug ip level
level of privilege exec 10 undebug all
privilege exec 10 undebug level
terminal monitor exec level 10 privileges
privilege exec 10 level terminals
privilege exec 15 level show running-config
See configuration at the privileged exec level 5
show privileges exec level 5
privilege exec 10 debug ip icmp level
privilege exec level 10 debug ip
privilege exec 10 level debug all
debugging privileges exec level 10
clear interface of privileges exec level 10
clear counters at level 10 privilege exec
level of privilege exec 10 clear
!
Line con 0
password 7
Synchronous recording
line 33 64
No exec-banner
exec-timeout 0 0
no activation-character
No exec
preferred transport telnet
transport of entry all
character of exhaust-27
StopBits 1
FlowControl hardware
line to 0
line vty 0 4
password 7
Synchronous recording
ddras01 menu autocommand
line vty 5 181
password 7
Synchronous recording
ddras01 menu autocommand
!
NTP-period clock 17208487
source NTP FastEthernet0/0
NTP server
end
Hello
You have aaa login default configured for authentication, with this you get invited
When you try to access the line.
Under line VTY 5 181 try adding:
authentication of the connection /NOAUTH
exec authorization /NOAUTH
Add the lines of aaa:
/NOAUTH AAA authentication login no
/NOAUTH AAA authorization exec no
This should stop the authentication to the lines.
-Jesse
-
GANYMEDE + Queueing AAA authentication
Hello
I've recently updated the IOS on my 3560 X 15.0 (2) SE3 and I can't get GANYMEDE works correctly. It worked properly on this device until I updated the IOS so I don't know what happened. I've made a few other changes as well (management IP change and clean the other config) so I'm not 100% sure what the issue was with the IOS. I have this same exact config on several other Cisco devices and it works fine. Any thoughts are appreciated.
Config:
AAA authentication login default group Ganymede + local
AAA authorization exec default group Ganymede + local
Ganymede IP source interface Vlan1
radius-server host
Ganymede IP source interface Vlan1
GANYMEDE-server host 10.x.x.x key *.Debugs:
MORE: Queuing request authentication AAA 88 for the treatment
I never spent queuing. I can't find a way to clear the queue either.
I have to disable the uplink port and reboot the switch to not even enter the port of the console. At this point, I get 1 authentication attempt (debugging below) before entering the queue messages.
21:34:36.864 Mar 29 CDT: % LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed State to
21:40:48.068 Mar 29 CDT: MORE: Queuing AAA request authentication 47 for the treatment
21:40:48.068 Mar 29 CDT: HIGHER: processing id authentication of demand beginning 47
21:40:48.068 Mar 29 CDT: MORE: authentication start package created for 47(**USERNAME**)
21:40:48.068 Mar 29 CDT: MORE: using the 10.x.x.x server
21:40:48.068 Mar 29 CDT: HIGHER (0000002F) / 0/IDLE/68F4CBC: started 5 sec timeout
21:40:48.077 Mar 29 CDT: HIGHER (0000002F) / 0/IDLE/68F4CBC: got immediately connect on the new 0
21:40:48.077 Mar 29 CDT: HIGHER (0000002F) / 68F4CBC/WRITING/0: started 5 sec timeout
21:40:48.077 Mar 29 CDT: T +: 192 (0xC0) Version, type 1, seq 1, encryption 1, SC 0
21:40:48.077 Mar 29 CDT: T +: session_id 912650955 (0x3665F2CB), dlen 32 (0x20)
21:40:48.077 Mar 29 CDT: T +: type: AUTHENTIC / START, priv_lvl:1 action: ascii LOGIN
21:40:48.077 Mar 29 CDT: T +: svc:LOGIN user_len:11 port_len:4 (0x4) raddr_len:9 (0 x 9) data_len:0
21:40:48.077 Mar 29 CDT: T +: user: (* USERNAME *)
21:40:48.077 Mar 29 CDT: T +: port: tty1
21:40:48.077 Mar 29 CDT: T +: rem_addr: 10.y.y.y
21:40:48.077 Mar 29 CDT: T +: data:
21:40:48.077 Mar 29 CDT: T +: end of packet
21:40:48.077 Mar 29 CDT: HIGHER (0000002F) / 0/WRITING: write to 10.x.x.x failed with errno 257 ((ENOTCONN))
21:40:48.077 Mar 29 CDT: MORE: authentication start package created for 47(**USERNAME**)
21:40:48.077 Mar 29 CDT: HIGHER (0000002F): start write failed
21:43:01.976 Mar 29 CDT: % SYS-5-CONFIG_I: configured from console by dcmorris on console
21:43:08.057 Mar 29 CDT: MORE: Queuing AAA request authentication 48 for the treatment
21:45:24.842 Mar 29 CDT: MORE: Queuing AAA request authentication 49 for the treatment
21:48:52.494 Mar 29 CDT: MORE: Queuing AAA asks 50 for processing authentication
You might want to take a look here
https://supportforums.Cisco.com/message/3965551#3965551
Jatin kone
-Does the rate of useful messages-
-
the AAA authentication enable default group Ganymede + activate
I implement CSACS 4.0. First of all on the client, I will apply aaa authenticatio / authorization under vty. The issure if I use the followin command
the AAA authentication enable default group Ganymede + activate
What happens if I connect via the console? I need to enter a name of user and password?
Here is my configuration
AAA new-model
Group authvty of connection authentication AAA GANYMEDE + local
the AAA authentication enable default group Ganymede + activate
authvty orders 15 AAA authorization GANYMEDE + local
RADIUS-server host IP
Radius-server key
Ganymede IP source interface VLAN 3
AAA accounting send stop-record an authentication failure
AAA accounting delay start
AAA accounting exec authvty start-stop group Ganymede +.
orders accounting AAA 15 authvty power group Ganymede +.
AAA accounting connection authvty start-stop group Ganymede +.
line vty 0 15
connection of authentication authvty
authorization orders 15 authvty
authvty connection accounting
accounting orders 15 authvty
accunting exec authvty
Any suggestion will be appreciated!
It should work because it is a guest message.banner whenever you try to connect (console/vty). I set it up on my router.
If you have banner motd, it will appear as well (see below). So, I have to remove it to get only the aaa banner & prompt is displayed:
************************************************************
Username: cisco, password: cisco (priv 15f - local) *.
************************************************************
Any unauthorized use is prohibited.
Enter your name here: User1
Now enter your password:
Router #.
The configuration more or less looks like this:
AAA new-model
AAA authentication banner ^ is forbidden to use CUnauthorized. ^ C
AAA authentication password prompt "enter your password now:
AAA-guest authentication username "enter your name here:
Group AAA authentication login default RADIUS
local authentication AAA CONSOLE connection
HTH
AK
-
Connection to the SQL Server using Windows authentication
I would use SQL Developer (v1.5) to connect to an instance of SQL Server 2005 uses windows authentication. I downloaded jtdw - 1.2.jar and set its e path as a preference in the TOOLS\Preferences Database\Third Party JDBC Driver dialog box.
I was able to connect to SQL Server 2005 successfully if I use SQL authentication and provide a user_id and password.
It is my preference to use windows for connection authentication. However, when I try to connect, I get the following error:
Failure - i/o Error: library of native SSPI is not SSO unloaded. Check the system java library path property
I have no idea what it means. I'm not a java programmer and I am very new to Oracle in general if someone can give me some guidance right ahead as to what lack me?
Thank youAfter reading the thread referenced by Jim Smith (thanks!), I wanted to copy the information in this topic... and update to say that these same steps for SQLDeveloper 1.5.1 & SQL Server 2005. Don't miss step 5, if you want to enable NT authentication.
{Of referenced post}
SQL Developer for MS SQL SERVER 2000 Setup
(1) install/extract SQL Developer 1.2.1 in C:\Program Files\Oracle
Do {$sqldevhome} = C:\Program Files\Oracle\sqldeveloper(2) get the Pluggin JDBC SQL SERVER (jtds - 1.2.2 - dist.zip) of:
http://sourceforge.NET/project/showfiles.php?group_id=33291&package_id=25350(3) unpack jtds - 1.2.2 - dist.zip
Created: jtds - 1.2.2.jar
\x86\SSO\ntlmauth.dll(4) copy the jtds - 1.2.2.jar in:
{$sqldevhome} \jlib directory.(5) copy the dll in the \x86\SSO subdirectory ntlmauth.dll in:
{$sqldevhome}\jdk\jre\bin\ntlmauth.dll(6) with SQL Developer:
Go to the Menu 'tools '.
-Preferences...
Expand the "[+] database
Choose "third-party JDBC Drivers.
Click on 'add an entry '.
Then locate your copy of '{$sqldevhome}\jlib\jtds-1.2.2.jar '.
Note: Use the name of the jar file, not its parent for the input directory.7-restart SQL Developer and try your SQL Server 2000 (or SQL Server 2005) link
-
RIO crashes when you use tcp communication and web server
Hello
my controller cRIO crashes after a short time (usually less than a minute), when I use simultaneously to the web server (to interact with a remote control) and make some tcp communication (using STM 2.0 library) for data logging. Is it a problem of overall performance of the controller, or a problem of band network bandwidth (I'm happy to send some values every 100ms), or a programming problem; in the latter case, what should I do to make the system more stable?
Kind regards
PS: I use a cRIO 9022 with LV 2009f2 + RT and NOR-RIO 3.3.0
Hello
You can try with a simple while loop + delay instead of loop timed for TCP communication loop.
Concerning
-
Hi Experts,
JDEV version 11.1.1.7.0
I have a usecase where I use database authentication in my Application.
However if I save the module to record user password. Its economy without encryption. Can U suggest how can I do this
Thank you
Roy
Please see
https://docs.Oracle.com/CD/E16162_01/user.1112/e17455/dev_secure_apps.htm#OJDUG1168
-
Connect to SQL Server using Windows authentication
Allows us to connect to the SQLServer database via dblink using authentication SQL Server (Oracle 10 g DB on Windows server) HS, sqlserver db is moved to a new server and there it is configured to use Windows authentication only. Is it possible to use the dblink/HS with Windows authentication on the side of SQLServer? Oracle support answer is no, but I thought I'd ask around...
Thank you!
Published by: user11968137 on March 28, 2013 11:42Gateway for ODBC 10 g or 11g is supported only with SQL Server, not Windows authentication authentication.
If your SQL Server is configured only for authentication on Windows, you have no other way to change the configuration of the SQL Server to support mixed Mode (Windows authentication and SQL Server authentication).
Kind regards
Mireille-
Maybe you are looking for
-
Fingerprint reader not working after update
I have updated to iOS 10 and now my fingerprint reader will not work. I have a 5 s.
-
Recently, I noticed that when I work in WordPress, or by using a text editor in line, or technical support anywhere, I'm hidden code added at the bottom of the text box: 521
-
Full load of Windows 7 on Presario CQ61-223TU
I want to load a full copy of Windows 7 on an older Presario with a new hard drive. How can I get into the BIOS setup and then change to I can boot from the DVD. I hope someone can help.
-
How to get rid of the warning "Publisher cannot be verified?
Hello is there a way to get rid of this warning for a specific .exe file? by clicking the checkbox 'don't ask me' does not help. Thank youKonstantin
-
How to restore from unspecified error
original title: restoration does not end because of the unspecified error-how I restore? Cannot restore to an earlier date when I did not / had no problems. For instance - where I had an icon on the home page so when iwas going to e-mail back to the