IDS with Ganymede
Are IDS 4215 compatable sensors with Ganymede? I see nothing in the csm, guides the user ID itself which would lead me to believe it was, but I wanted to just make sure with the group.
Thank you.
IDS/IPS from now devices do not support external authentication using AAA servers. The only way that users can be authenticated so is using the local database on the IDS/IPS device.
I hope this helps.
Kind regards
Maryse.
Tags: Cisco Security
Similar Questions
-
AS with GANYMEDE + question
Try to get the module ACE and IOS devices to work with GANYMEDE. I have GBA v3.2.
The "optional" syntax does not work. No idea if the argument is valid for the version of the CSA?
Service = exec
Optional shell: Admin = domain Admin
I tried it with quotes, but which didn't work either.
Hello
This is a doc of reference for the configuration of the ACE for authentication Ganymede +,.
http://www.Cisco.com/en/us/docs/interfaces_modules/services_modules/ACE/v3.0
0_A1/configuration/Security/Guide/AAA.html#wp1321891
Under the custom for attribute Ganymede + we need to specify the attribute in the form,
Shell: Admin * ADMIN MYDOMAIN1
= means mandatory attribute
* Optional means
Information on the context/role/domain (virtualization on ACE):
http://www.Cisco.com/en/us/docs/interfaces_modules/services_modules/ACE/v3.0
0_A1/configuration/virtualization/guide/ovrview.html
Default 'role' on ACE:
http://www.Cisco.com/en/us/docs/interfaces_modules/services_modules/ACE/v3.0
0_A1/configuration/virtualization/guide/ovrview.html#wp1051297
HTH
JK
Please evaluate the useful messages-
-
Nexus, authorization to order with GANYMEDE.
Hello.
Can anyone provide an example of configuration to use Cisco Secure ACS 4.2 to enable permission to order with GANYMEDE.
Thank you.
Kind regards.
Andrea
Hello Andrea,
We moved to GBA 5.3 now - but we had our 5520 Nexus running against our old 4.2 ACS before this - so I chose the relevant bits of the config below:
username admin password network-admin role; user local administrator
feature Ganymede +; turn on Ganymede
radius-server host key; set the key for RADIUS server
AAA server Ganymede group + Ganymede; create the group called "Ganymede".
Server; set the IP address of the RADIUS server
the vrf use management; tell him to use the default 'management' vrf to send queries for Ganymede
source-interface mgmt0;... .and send mgmt interfaceAAA authentication login default group Ganymede; Use Ganymede for auth login
AAA authentication login console Group Ganymede; Use Ganymede for auth login console
AAA authorization config-commands by default local group Ganymede; use Ganymede for permission to config command
AAA authorization by default Ganymede local group orders; use Ganymede for normal control authorization
Default accounting AAA group Ganymede; Send documents to GanymedeI hope that works for you!
(This may change a bit, when you move to ACS 5.x - that we chose not to do complex auth command (using only shell profiles) to remedy this you go back as a nexus for the 5 k - and it makes the command auth (operator network vs network-admin) based on the one - if you just do not configure authorization to order aaa on the 5 k)
Rob...
-
Total connection time how to account with GANYMEDE.
Hi, we have the following scenario, this company uses two methods for remote access (for employees only): through RAS connections, or by using VPN clients to connect to a 535 PIX over the Internet. We need to do accounting for the total connection time, in the case of RAS connections is easy, we run AAA GANYMEDE + between the RA and the ACS (ver 2.1) and check the start/end time. But with the Internet connection start/stop time reflects the total time for each connection by user i.e. telnet, snmp, ftp, etc. but what connections can be simultaneous (or not), so we can not just add every time total of connections to a single user, it could be greater than the actual time that this user has been really connected. So how could account us for in this case total connection time?
Thanks in advance for your recommendations
Unfortunately you don't have. Accounting for users in the PIX VPN is on the Board to design for some time now, but so far has not been implemented. You can check the status on bug ID CSCdu01327 for other updates.
-
Cisco ISE with GANYMEDE + and RADIUS both?
Hello
I'm wired opening of authentication on a network using Cisco ISE. I studied the conditions for this. I know that I need to enable the RADIUS on the Cisco switches on the network. The switches in the network are already programmed to GANYMEDE +. Anyone know if they can both operate on the same network at the same time?
Bob
I suppose that Ganymede is configured (with ACS 4.x or 5.x) for the peripheral administration via telnet/ssh, and now you need the RADIUS (radius) to authenticate 802. 1 x. Yes they can both work on the same network at the same time.
~ BR
Jatin kone* Does the rate of useful messages *.
-
Router with GANYMEDE locked out
Hello
I made a rookie mistake today and set up one of our routers to use the following configuration:
aaa authentication login default group tacacs+ enable aaa authentication enable default group tacacs+ enable aaa authorization console aaa authorization exec default local group tacacs+ if-authenticated aaa authorization commands 1 default group tacacs+ if-authenticated aaa authorization commands 15 default group tacacs+ if-authenticated
We use RADIUS for authentication - and GANYMEDE for authorization, so needless to say I'm stuck on the router. I wonder if the only way to get past it's password reset the router, or if there is a way for me to reconfigure my RADIUS/RADIUS server to allow access to this device with this configuration. Thank youSince you 'enable' as the fallback method, simply maket GANYMEDE + server unavailable to this router (null road somewhere upstream, ACL, etc.) and then the router should allow you to connect by using the password to enable instead of the name of user and password.
Note: I assume that the default authentication applies to the console or VTY lines, but I can't say if that will be the case the complete configuration was not displayed.
-
Offering personalized with GANYMEDE + (ACS 5.4) - NX - OS RBAC limited access
Hello
I created the RBAC personalized depending on NX - OS.
Role: Limited_Admin
11 denies config t command. mgmt interface 0
10 permit command read
9 permit config t command. interface *; *
8 allow the copy running-config startup-config command
7 permits ping command *.
6 allow the traceroute command *.
I created a profile Shell with the following attributes that place the user in the role of Limited_Admin and that mapped to the rule of authorization policy.
Cicso-av-pair attribute
Mandatory requirement
Shell: roles of value = "Limited_Admin".
When I connect with the Test account - I get mapped to the custom role as shown below but I have priv 15.
user: testrbac
roles: Limited_Admin
account created through the REMOTE authentication
Credentials such as ssh server key will be cached only temporarily for this user account
Local login is not possible
Any help is greatly appreciated. I had this working perfectly on the 4.2. but unable to make the rules work at 5.4.
Configuration of the AAA Nexus:
radius-server key *.
source-interface IP Ganymede mgmt0
RADIUS-server host x.x.x.x
AAA group Ganymede Server + ACS SERVERS
Server x.x.x.x
the vrf use management
AAA group Ganymede Server + ACS SERVERS
AAA authentication login default group ACS-SERVERS
AAA authentication local console connection
Default accounting AAA group ACS-SERVERS
AAA authentication login error-enable
I saw it and that's what I wanted to see and use it as a syntax/format on nx under role
ike this
Role: Limited_Admin
11 deny command configure terminal ; interface mgmt0
However I think you tried and confirmed that it didn't ' work so I started to think it might be a bug in the Os. Glad it works for you.
Jousset
* Note help messages *.Sent by Cisco Support technique Android app
-
5.2 ACS with Ganymede + can not support switch Alcatel.
I have a few Alcatel Switch and I want to use tacscs + ACS 5.2 for Alcatel Switch admin authentication.
the reason: 13011 failure not valid GANYMEDE + query package - possibly mismatched shared Secrets
But I've been checking the secrecy is correct.
Before I tried ACS associated with vision 4.2 is working.
Pls review of attachment for the ACS report.
Thanks for giving me suggest.
Hello
Can't give an you answer, but witch alcatel model/version do you run?
I have the same problem with OS6250 (6.6.1.636.R01) and acs5.2 unpatched. I'm looking for alcatel or acs bugtrack
you looked: 144246 PR on:
David
-
Hello
I test an aaa authentication switch when it does not communicate to ISE, and I found a strange behaviour. After that I added the aaa accounting and authorization authentication controls and reloaded the switch I was not able to connect to the switch with the GANYMEDE login
The switch continued in cycles showing the banner give 3 times authentication failure message and then the cycle begins with the failed, banner and sign message
I removed the aaa authorization network command and I reloaded the switch and I was able to connect successfully.
could someone help me with this problem.
Hi Nitesh-
This command (... aaa authorization network) has nothing to do with the admin authorization on the n basis (in this case, the switch). This command applies to the network connections such as PPP, SLIP, etc.
In addition, aaa authorization can be performed by Ray and not only GANYMEDE +. RADIUS is not too powerful and you can provide authorization command sets but you can always return roles and different levels of privilege.
Have you tested the above configuration syntax? I did and it works as expected!
Thank you for evaluating useful messages!
-
4.2 ACS profiles with Ganymede?
Hello
I use 4.2 ACS (device) with network access profiles. It's a very big problem that profiles only support the radius Protocol, I need to use the Protocol Ganymede with profiles. I need Ganymede for permission command. Is it possible to have such a regulation on ACS 4.2:
-If the logging of NetworkDeviceGroup1 using RADIUS uses local authentication
-If the logging of NetworkDeviceGroup2 using Ganymede use RSA securID (external Radius Authentication).
Best regards
Hello
GBA 4.X NAP works only with the RADIUS.
-If you want you can go to ACS 5.X, which is more flexible.
run the IT role-based authentication / authorization and you can combine roles you need to be more flexible.
Please visit the sites:
1) http://www.youtube.com/watch?v=Xin98O-Q4JY
2) http://www.youtube.com/watch?v=vOxcrEU_-Gw&feature=related
Kind regards
Talal
==
Remember responses of the rate that you find useful
Please note the answers that you find useful and mark as answer - when is it :-) - so that others can easily find
-
Problem with GANYMEDE + (ACS) and cat 2950
I have configured the 2950 as below and properly configured ACS and I can connect to the 2950 using this configuration, the problem lies after that I go to enable and try any command, I get approval to next error command failed.
What I missed out the config that will allow me to execute commands?
AAA new-model
AAA authentication login default group Ganymede + local
AAA authorization exec default group Ganymede + local authenticated by FIS
AAA authorization commands 15 default group Ganymede + authenticated if
AAA authorization network default group Ganymede + local authenticated by FIS
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
AAA accounting network default start-stop Ganymede group.
GANYMEDE server host ***. ***
radius-server key 7 *.
Thanks in advance.
Jon
Hi Jon,
AAA of the switch seems ok, maybe you need to take a look at your ACS.
Check the following information, where you have to apply it in your ACS config:
Rgds,
AK
-
With Ganymede ACS authentication problem
My organization was using ACS with AD to authenticate users for access to network devices.
But lately, it does not work. There has been no known changes.
Can anyone help point the possible problems or links to see how the actual configuration of the CSA to be or look like for that to work.
My apologies if this is naïve question, am not not so easy with ACS.
Thank you!
Hello
There are two ways to correct the message 'windows dialin permission required. You can either add permissions to call on the user accounts on your database of Windows, or you can remove the option "Require Dialin permissions" ACS. To do this, go to "External user databases" and select "Database Configuration". Then go in your database of Windows and click "configure". The first option is a
box that gives you the opportunity to "make sure that grant dialin permission is checked.
Checking this box will cause the error you get if your windows users do not have permissions to call. If you uncheck this box, it must clarify this.
HTH
JK
-
integration of snort IDS with vshield product
Hi dear all,
We are in the start mode of virtualization. Is it possible to integrate snort rules inside product vshield? How to integrate an ID with vShield? Please help me.
Hello
vShield Edge and App are virtual appliances that cannot be changed. So, the installation of SNORT or whatever it is inside the actual virtual appliance is not possible. However, you can always have installed SNORT and running on another computer connected to the same vSwitch (or vDS) virtual and then configure port mirroring to send all traffic to this specific virtual machine. In this way, you are always notified to any alarms/offences detected by SNORT within the network. See the following blog for tips on how to do (vSphere 5 new features network & #8211;) Duplication of port | VMware vSphere Blog - VMware Blogs)
I hope this helps...
-
Is there a complete list of all the built-in class IDs with their names in programming?
I looked at the help page of the ID LV2012 class property located here: http://zone.ni.com/reference/en-XX/help/371361J-01/lvprop/gen_class_id/, but it's incomplete. For example, the RadioButtonsControl has a 72 ID and is not listed.
Or better yet, is there a screw there that can convert an ID U32 value in the corresponding class name?
Try this.
-
Hello
This is the configuration for GANYMEDE but is not authentication works.
AAA new-model
!
!
connection of AAA 5 authentication attempts
enable AAA authentication login default group Ganymede + local line
the AAA authentication enable default group Ganymede + activate
AAA authorization exec default group Ganymede + local
AAA authorization commands 1 default group Ganymede + local
AAA authorization commands by default 15 group Ganymede +.
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 1 by default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
radius-server host 14.24.6.8
radius-server host 17.24.66.1
RADIUS-server timeout 1
RADIUS-server application made
The problem must be resolved
Advanced thanks.
Concerning
Dhananjay.M
Number of things before hit us part of troubleshooting:
1.] RADIUS-server timeout 1 ->> is a time interval for when waiting for server for the AAA client to respond. 1 sec is too aggressive, don't know what that allows you to configure this prompted. Pleasee defined only at least 5 seconds.
2.] you have configured the shared secret on the AAA client?
Run debugs it on the switch/router, try to connect with Ganymede credetials and paste the o/p here.
debugging Ganymede
Debug aaa authentication
~ BR
Jatin kone* Does the rate of useful messages *.
Maybe you are looking for
-
Emergency aid. Stuck with black screen after installation of el capitan
My macbook pro very frequently showed the circle of death. So I've updated for Mac el capitan. After many attempts, I've been successful. But once again the wheel of death problem started. so I decided to reinstall. After the reinstallation, I got a
-
I lost the bar that has my file edit view history bookmarks Yahoo tools and help also the Home icon with back and refresh icon I can't find anywhere to click to recover someone can please help me.Thanks ([email protected])
-
VISA: (Hex 0xBFFF0015) Timeout management
Hi all I'm trying to commuincate with a patented device. In full operation, it is supposed to send keepalive type data periodically, the first thing to do is so empty the receive buffer. My program is, (attached): 1. set baud rate to 152002. open co
-
I am running Windows Vista and explore 10. Adobe is installed on the laptop. Dell Inspiron 1750 Stodio
-
Replace hard drive on HP G72 information
Our HP G72-B27CL family has a failed hard drive and continues to give the following message "hard drive error (301). After some reading online, I am aware that this means the hard drive turns off finally completely and that it should be replaced. T