HTTPS ASA AAA authentication rules prompt

I'm trying to configure a simple rule of AAA in my lab to allow access to the internet web server via authentication GANYMEDE + (see attached configuration).

This Setup seems to work fine when the authentication prompt is displayed using http, while the https login page seems to have some problems with a certificate error recognized from the browser with the message: SSL_ERROR_BAD_MAC_READ

It seems that https login page redirection is not allowed due to server address certificate incompatibility.

Advice and suggestions will be greatly appreciated.

Seems to be a known issue.

https://BST.cloudapps.Cisco.com/bugsearch/bug/CSCus27650/?reffering_site...

Kind regards

Jousset

~ Make rate of useful messages.

Tags: Cisco Security

Similar Questions

  • http using aaa authentication when Ganymede server is down

    I installed AAA using Ganymede and everything works well except for authentication http through a browser or a network Assistant when the RADIUS server is down. For console and telnet connections, the default authentication line when Ganymede is out of service.

    AAA new-model

    AAA authentication login default group Ganymede + line

    AAA authorization exec default group Ganymede + authenticated if

    AAA accounting update newinfo

    AAA accounting exec default start-stop Ganymede group.

    only AAA 0 default stop accounting controls group Ganymede +.

    only AAA 1 default stop accounting controls group Ganymede +.

    accounting AAA commands default 15 stop only Ganymede group.

    !

    aaa IP http authentication

    !

    radius-server host 10.161.161.20

    111111 radius-server key

    It must be something with the fact that on http or ANC, it connects to the router at level 15, but I have played with all sorts of orders of different authorization and cannot operate.

    Paul

    What you want to do for authentication if the RADIUS server is down? For telnet and console access you can use the line as a backup method because it is possible to configure a password for the line on the console and vty ports. Which type of backup method you want for HTTP? The one that seems most logical to me would be to a local authentication in order to cover the situation where the server is down.

    To use local authentication, you must do the following:

    -create a definition of the local user (maybe more if you need extended security).

    -specify a special method for authentication of the aaa.

    -specify that http, using the special method.

    The configuration might look like this:

    password user tech1 tech1

    AAA authentication login http_auth group Ganymede + local

    IP http authentication aaa - authentication of the connection http_auth

    Or you can decide to use the secret to activate (or password that is configured in office). The config might look like this:

    AAA authentication login http_auth group Ganymede + activate

    IP http authentication aaa - authentication of the connection http_auth

    If you want a different backup method, let us know what it is and we'll see how it could be implemented.

    HTH

    Rick

  • the AAA authentication enable default group Ganymede + activate

    I implement CSACS 4.0. First of all on the client, I will apply aaa authenticatio / authorization under vty. The issure if I use the followin command

    the AAA authentication enable default group Ganymede + activate

    What happens if I connect via the console? I need to enter a name of user and password?

    Here is my configuration

    AAA new-model

    Group authvty of connection authentication AAA GANYMEDE + local

    the AAA authentication enable default group Ganymede + activate

    authvty orders 15 AAA authorization GANYMEDE + local

    RADIUS-server host IP

    Radius-server key

    Ganymede IP source interface VLAN 3

    AAA accounting send stop-record an authentication failure

    AAA accounting delay start

    AAA accounting exec authvty start-stop group Ganymede +.

    orders accounting AAA 15 authvty power group Ganymede +.

    AAA accounting connection authvty start-stop group Ganymede +.

    line vty 0 15

    connection of authentication authvty

    authorization orders 15 authvty

    authvty connection accounting

    accounting orders 15 authvty

    accunting exec authvty

    Any suggestion will be appreciated!

    It should work because it is a guest message.banner whenever you try to connect (console/vty). I set it up on my router.

    If you have banner motd, it will appear as well (see below). So, I have to remove it to get only the aaa banner & prompt is displayed:

    ************************************************************

    Username: cisco, password: cisco (priv 15f - local) *.

    ************************************************************

    Any unauthorized use is prohibited.

    Enter your name here: User1

    Now enter your password:

    Router #.

    The configuration more or less looks like this:

    AAA new-model

    AAA authentication banner ^ is forbidden to use CUnauthorized. ^ C

    AAA authentication password prompt "enter your password now:

    AAA-guest authentication username "enter your name here:

    Group AAA authentication login default RADIUS

    local authentication AAA CONSOLE connection

    HTH

    AK

  • Activate the ASA system context AAA authentication

    Hello!

    We have ASA configured in multiplayer in context with 8.4 (2) software configured for AAA

    Configuration is admin context as follows:

    AAA-server TAC Protocol Ganymede +.

    host of the TAC AAA-server 10.162.2.201 (management)

    key *.

    Console to enable AAA authentication LOCAL TAC

    TAC LOCAL console for AAA of http authentication

    AAA authentication serial console LOCAL TAC

    authentication AAA ssh console LOCAL TAC

    Because of the multiple context, after the connection we enter in the system context. Console port authentication works very well except access to the privileged mode when you connect through the console port.

    After the show 'enable' command ASA accepts only configured activate secret in context and change ID of user system for enable_15, so we are unable to do accounting and authorization of user level control.

    It seems that the ASA in the context of the system is not aware of all the configurations of AAA, and it is not a command to configure AAA in the context of the system.

    Is there a way to configure enable AAA authentication in the context of the system?

    Thanks in advance!

    Hello

    It looks like you hit this known issue that follows:

    http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsw18455

    Admin context allow mode compared to the context system DB credentials

    Symptom:

    In multi-mode configuration, the user to enter privileged mode credentials
    (enable mode) via the serial console is not sent to an external server
    role of authentication.

    Conditions:

    ASA/PIX is in multi mode. serial console and activate the console authentication
    are configured to use external aaa server in the context of the admin.

    Workaround solution:

    Option 1: Configure enable password in the system context. Option 2: Avoid the use of the interface of the console series and rely on telnet
    or ssh console access.  SSH or telnet consoles, tries to enter
    active mode is authenticated as specified by the configuration of aaa in
    the context of "admin".
    Other Description of the problem:

    When authentication is enabled for the serial console and activate console in
    Executive admin via an external aaa Server (for example: radius or Ganymede +), series
    Console OmniPass is against the external aaa server, but the mode
    credentials are compared with enable db in the context of the system.

    Hope that clarifies it. Unfortunately there is no solution for this problem.

    Kind regards.

  • AAA authentication in Cisco router

    I want to create the user name and password with the level of prévilige for each user in the Cisco 3640 router. I don't have any authentication server, and I want to use the local database of the Cisco router to do this. Can someone suggest me how should I proceed.

    Thanks in advance

    Hello

    If you want to create users in the local database of the router, you must use the following command

    username cisco password privilege 5 test

    AAA new-model

    AAA authentic login default local

    AAA exec default local author

    http://www.Cisco.com/univercd/CC/TD/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/scfathen.htm#12277

    Thank you

    Sujit

  • Order of the ASA of the rule

    Hello

    I have a question: witch order cisco ASA 5520 cheque rules?

    1 course

    2 NAT

    3 ACL

    Kind regards

    Mary

    1 Nat

    2 LCD

    3. the road

    See

    http://www.netcraftsmen.NET/welcher/papers/IPSec2.html

  • The AAA authentication and VRF-Lite

    Hello!

    I encountered a strange problem, when you use authentication Radius AAA and VRF-Lite.

    The setting is as follows. A/31 linknet is configured between PE and THIS (7206/g1 and C1812), where the EP sub-si is part of a MPLS VPN and VRF-Lite CE uses to maintain separate local services (where more than one VPN is used..).

    Access to the this, via telnet, console etc, will be authenticated by our RADIUS servers, based on the following configuration:

    --> Config start<>

    AAA new-model

    !

    !

    Group AA radius RADIUS-auth server

    Server x.x.4.23 auth-port 1645 acct-port 1646

    Server x.x.7.139 auth-port 1645 acct-port 1646

    !

    AAA authentication login default group auth radius local

    enable AAA, enable authentication by default group RADIUS-auth

    ...

    touch of 1646-Server RADIUS host x.x.4.23 auth-port 1645 acct-port

    touch of 1646-Server RADIUS host x.x.7.139 auth-port 1645 acct-port

    ...

    source-interface IP vrf 10 RADIUS

    ---> Config ends<>

    The VRF-Lite instance is configured like this:

    ---> Config start<>

    VRF IP-10

    RD 65001:10

    ---> Config ends<>

    Now - if I remove the configuration VRF-Lite and use global routing on the CE (which is OK for a simple vpn installation), AAA/RADIUS authentication works very well. "" When I activate transfer ip vrf "10" on the interface of the outside and inside, AAA/RADIUS service is unable to reach the two defined servers.

    I compared the routing table when using VRF-Lite and global routing, and they are identical. All roads are correctly imported via BGP, and the service as a whole operates without problem, in other words, the AAA/RADIUS part is the only service does not.

    It may be necessary to include a vrf-transfer command in the config of Group server as follows:

    AAA radius RADIUS-auth server group

    Server-private x.x.x.x auth-port 1645 acct-port

    1646 key ww

    IP vrf forwarding 10

    See the document below for more details:

    http://www.Cisco.com/en/us/partner/docs/iOS/12_4/secure/configuration/guide/hvrfaaa.html

  • GANYMEDE + Queueing AAA authentication

    Hello

    I've recently updated the IOS on my 3560 X 15.0 (2) SE3 and I can't get GANYMEDE works correctly. It worked properly on this device until I updated the IOS so I don't know what happened. I've made a few other changes as well (management IP change and clean the other config) so I'm not 100% sure what the issue was with the IOS. I have this same exact config on several other Cisco devices and it works fine. Any thoughts are appreciated.

    Config:

    AAA authentication login default group Ganymede + local

    AAA authorization exec default group Ganymede + local

    Ganymede IP source interface Vlan1

    radius-server host

    Ganymede IP source interface Vlan1
    GANYMEDE-server host 10.x.x.x key *.

    Debugs:

    MORE: Queuing request authentication AAA 88 for the treatment

    I never spent queuing. I can't find a way to clear the queue either.

    I have to disable the uplink port and reboot the switch to not even enter the port of the console. At this point, I get 1 authentication attempt (debugging below) before entering the queue messages.

    21:34:36.864 Mar 29 CDT: % LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed State to

    21:40:48.068 Mar 29 CDT: MORE: Queuing AAA request authentication 47 for the treatment

    21:40:48.068 Mar 29 CDT: HIGHER: processing id authentication of demand beginning 47

    21:40:48.068 Mar 29 CDT: MORE: authentication start package created for 47(**USERNAME**)

    21:40:48.068 Mar 29 CDT: MORE: using the 10.x.x.x server

    21:40:48.068 Mar 29 CDT: HIGHER (0000002F) / 0/IDLE/68F4CBC: started 5 sec timeout

    21:40:48.077 Mar 29 CDT: HIGHER (0000002F) / 0/IDLE/68F4CBC: got immediately connect on the new 0

    21:40:48.077 Mar 29 CDT: HIGHER (0000002F) / 68F4CBC/WRITING/0: started 5 sec timeout

    21:40:48.077 Mar 29 CDT: T +: 192 (0xC0) Version, type 1, seq 1, encryption 1, SC 0

    21:40:48.077 Mar 29 CDT: T +: session_id 912650955 (0x3665F2CB), dlen 32 (0x20)

    21:40:48.077 Mar 29 CDT: T +: type: AUTHENTIC / START, priv_lvl:1 action: ascii LOGIN

    21:40:48.077 Mar 29 CDT: T +: svc:LOGIN user_len:11 port_len:4 (0x4) raddr_len:9 (0 x 9) data_len:0

    21:40:48.077 Mar 29 CDT: T +: user: (* USERNAME *)

    21:40:48.077 Mar 29 CDT: T +: port: tty1

    21:40:48.077 Mar 29 CDT: T +: rem_addr: 10.y.y.y

    21:40:48.077 Mar 29 CDT: T +: data:

    21:40:48.077 Mar 29 CDT: T +: end of packet

    21:40:48.077 Mar 29 CDT: HIGHER (0000002F) / 0/WRITING: write to 10.x.x.x failed with errno 257 ((ENOTCONN))

    21:40:48.077 Mar 29 CDT: MORE: authentication start package created for 47(**USERNAME**)

    21:40:48.077 Mar 29 CDT: HIGHER (0000002F): start write failed

    21:43:01.976 Mar 29 CDT: % SYS-5-CONFIG_I: configured from console by dcmorris on console

    21:43:08.057 Mar 29 CDT: MORE: Queuing AAA request authentication 48 for the treatment

    21:45:24.842 Mar 29 CDT: MORE: Queuing AAA request authentication 49 for the treatment

    21:48:52.494 Mar 29 CDT: MORE: Queuing AAA asks 50 for processing authentication

    You might want to take a look here

    https://supportforums.Cisco.com/message/3965551#3965551

    Jatin kone

    -Does the rate of useful messages-

  • External SSL VPN via AAA authentication

    Greeting from all the

    How can I exchange a group policy for users between the SAA and an external AAA (authentication via ldap or RADIUS)

    Let's say I have user1 I want only him to use groupPolicy "gpSales" for its VPN access, how can the ASA Exchange this information with the radius or LDAP server

    Thank you

    Glad to hear that you guessed it work.  Please rate this post if you found it useful.

  • banner of AAA authentication

    I have configured the banner authentication aaa and aaa fail message on a router running 12.1 (15) - authentication is done by ACS 3.0.2 which works very well.

    Problem - the banner of authentication does not appear (nothing is outside of "username:"-don't not even 'check' user access) If you enter a wrong password, but the failure message. If I console in and unplug the interface while the two messages very well.

    Workaround solution - if I set up a connection "banner" then everything works fine too, but I can't work out why does not display the "banner of aaa authentication."

    I suspect ACS prevents the message, but I can't work out how - can anyone suggest a solution?

    Thank you very much!

    By the way that the command "radius-server administration '? It doesn't seem to be documented, and it has no effect or not.

    The banner command does not work if you make the RADIUS authentication, it will not work if you do a RADIUS/local/etc. This is normal, cause with Ganymede you can have the sending server banner and guests down (even if with all I don't think that you can do) and so if you have configured authentication GANYMEDE the router does not take into account the banner command and waits to see if she gets a new one from the server RADIUS itself. If it is not it will simply display the usual guests.

    As for the 'radius-server admin' command, honestly, I have no idea, never seen anyone use. Online help says "start the daemon of Ganymede management administrative messages", but what really I don't know, maybe someone else can help.

  • The AAA authentication configuration

    We have ACS server 3.1 to AAA for authentication for all routers and switches. I want each person to connect the router using its own id, password password and activate. If the ACS server is unavailable, I want to have different id, password and enable password for console and telnet access. What is the right way to do this? I also want to follow all orders entered on the router.

    That's what I have:

    AAA new-model

    AAA authentication login default group Ganymede + local

    enable AAA authentication login no_tacacs

    the AAA authentication enable default group Ganymede + line

    AAA authorization exec default group Ganymede + local

    AAA authorization commands 15 default group Ganymede + local

    AAA accounting exec default start-stop Ganymede group.

    orders accounting AAA 15 by default start-stop Ganymede group.

    !

    username admin password 7 xxxxxxxxxxxxxxxx

    !

    !

    Line con 0

    connection of authentication no_tacacs

    line to 0

    line vty 0 4

    password 7 xxxxxxxxxxxxxxxxxxxxxxxx

    !

    Yes, it's Joy on the right. Thank you, Renault

  • No AAA authentication for switch

    I'm intrigued by my question. I have a switch on 9 that cannot authenticate with our server GANYMEDE. The configurations are the same as any other switch, but when I try to open a session using the account GANYMEDE + access is denied. This is the configuration for the AAA/GANYMEDE on the switch.

    AAA new-model

    AAA authentication login default group Ganymede + local
    authorization AAA console
    AAA authorization exec default group Ganymede + local

    radius-server X.X.33.XX host
    radius-server key 7?

    I deleted the aaa configuration and then reconfigured it as well as the information from the server RADIUS and no authentication Ganymede. I gave the Ganymede interface should use, but same result. Any ideas?

    Thank you

    Robert

    Robert,

    Please make sure following

    -Radius server is accessible from the switch and port 49 is not blocked.

    S ' it is layer 3 switch, then make sure to configure the interface source ip Ganymede XXXX (Interface IP set in radius server)

    -Check the secret key

    If the problem is still there then please get

    Debug aaa authentication

    debugging Ganymede

    Kind regards

    ~ JG

  • AAA authentication and privilege-mode

    I want to configure authentication aaa with accounts of local user on the switch. The idea is to come directly into the "privilege" without the enable command mode.

    I have configured the following commands:

    AAA new-model

    AAA authentication login default local

    What other commands (permission) are necessary to obtain the command of privilege?

    Thank you

    Pascal

    Dear Sir

    For the console you must issue to order more.

    There is a hidden within IOS command you will need to apply: "authorization aaa console.

    Who should fix it

    Kind regards

    ~ JG

    Note the useful messages

  • Excluding the lines of Terminal Server in the AAA authentication

    Hi all

    Hope you can help, I'm trying to find a solution to exclude only the following line port by using the AAA authentication (ACS GANYMEDE +) on a map of Terminal Server on a Cisco 2600 router.  Does anyone know how to do this, or point me in the right direction to solve?

    I've included the output below:

    AAA authentication login default group Ganymede + local
    AAA authorization exec default group Ganymede + local
    AAA accounting exec default start-stop Ganymede group.
    AAA accounting network default start-stop Ganymede group.
    AAA accounting default connection group power Ganymede
    AAA accounting system default start-stop Ganymede group.
    AAA - the id of the joint session

    line 41
    session-timeout 20
    decoder location - XXXXXX XXXXXX BT
    No banner motd
    No exec-banner
    absolute-timeout 240
    Modem InOut
    No exec
    transport of entry all
    StopBits 1
    Speed 38400

    Is it a question of disabling the command line or using a defined group?

    Thanks a lot for your help.

    Jim.

    Hi Jim

    You may need to create another group for authentication to the and send your AAA configuration

    line to 0

    connection of authentication aux_auth

    AAA authentication login aux_auth line

    You can also configure a username local/pw and map it on the group to here...

    Console and telnet would still use the configured default group, or you can specify specific groups:

    Line con 0

    console login authentication

    line 4 vty0

    vty authentication login

    and specify the aaa authentication settings individually...

    I hope this helps... all the best

    REDA

  • AAA authentication question

    Here is the config, I have a switch:

    AAA authentication login default group Ganymede + local

    AAA authentication login vtylogin group Ganymede + local

    AAA authentication login conlogin group Ganymede + activate none

    the AAA authentication enable default Ganymede + activate

    Now, here are my questions:

    1. when I have my login of Ganymede console connection works, but when I type 'enable' and try to use my password to Active Directory, it does not work.  So I try the enable password, don't worry.  However if I change the 4th line "aaa authentication enable the Activate by default", I can now by using the enable password.

    2. my second question is when I SSH into the switch, I want only that it uses the RADIUS server and use only the database local when the Ganymede is not available.  However while Ganymede is available, I am still able to login using the local user account.  I guess that's by design?  Is there a way to prevent this if it isn't design?

    When you use the local user account to connect to the device, can you check if you can see the log in "past the authentication attempt" on the box of the CSA? If so, the same account could you please check your local ACS DB user to see that it was created by a fake?

Maybe you are looking for

  • Notes crashes in the Sierra. Help, please!

    After the upgrade on my iMac (mid-2014), I can't open the Notes. Crashes every time after I clicked through the tutorial on the new updates for Notes. Help, please! Thank you!

  • I feel betrayed

    I have an iMAC 21.5 "end 2013. I was interested in increasing the RAM. I found a note from Apple, which indicates that I'm not able to increase the RAM and he has to bring to a dealership. Is there a way I can increase the RAM? I currently have 8GB.

  • BIOS password help

    Folio 13-2000 Disabled system [59472296]

  • Windows XP PC freezes after Windows Update November 11. 2009.

    Our two identical Dell Vostro 410 PCs with installed WindowsXP SP3 image no longer work correctly after Windows Installer update yesterday (Wednesday 11. November. They will work in Mode without failure. However, mode normal, we get after the opening

  • Driver for my laptop

    USB\VID_0CF3 & PID_311D & REV_0001 PCI\VEN_10EC & DEV_5229 & SUBSYS_1858103C & REV_01 PCI\VEN_8086 & DEV_1E22 & SUBSYS_1858103C & REV_04