IDS with Ganymede

Are IDS 4215 compatable sensors with Ganymede? I see nothing in the csm, guides the user ID itself which would lead me to believe it was, but I wanted to just make sure with the group.

Thank you.

IDS/IPS from now devices do not support external authentication using AAA servers. The only way that users can be authenticated so is using the local database on the IDS/IPS device.

I hope this helps.

Kind regards

Maryse.

Tags: Cisco Security

Similar Questions

  • AS with GANYMEDE + question

    Try to get the module ACE and IOS devices to work with GANYMEDE. I have GBA v3.2.

    The "optional" syntax does not work. No idea if the argument is valid for the version of the CSA?

    Service = exec

    Optional shell: Admin = domain Admin

    I tried it with quotes, but which didn't work either.

    Hello

    This is a doc of reference for the configuration of the ACE for authentication Ganymede +,.

    http://www.Cisco.com/en/us/docs/interfaces_modules/services_modules/ACE/v3.0

    0_A1/configuration/Security/Guide/AAA.html#wp1321891

    Under the custom for attribute Ganymede + we need to specify the attribute in the form,

    Shell: Admin * ADMIN MYDOMAIN1

    = means mandatory attribute

    * Optional means

    Information on the context/role/domain (virtualization on ACE):

    http://www.Cisco.com/en/us/docs/interfaces_modules/services_modules/ACE/v3.0

    0_A1/configuration/virtualization/guide/ovrview.html

    Default 'role' on ACE:

    http://www.Cisco.com/en/us/docs/interfaces_modules/services_modules/ACE/v3.0

    0_A1/configuration/virtualization/guide/ovrview.html#wp1051297

    HTH

    JK

    Please evaluate the useful messages-

  • Nexus, authorization to order with GANYMEDE.

    Hello.

    Can anyone provide an example of configuration to use Cisco Secure ACS 4.2 to enable permission to order with GANYMEDE.

    Thank you.

    Kind regards.

    Andrea

    Hello Andrea,

    We moved to GBA 5.3 now - but we had our 5520 Nexus running against our old 4.2 ACS before this - so I chose the relevant bits of the config below:

    username admin password network-admin role; user local administrator

    feature Ganymede +; turn on Ganymede

    radius-server host key; set the key for RADIUS server
    AAA server Ganymede group + Ganymede; create the group called "Ganymede".
    Server; set the IP address of the RADIUS server
    the vrf use management; tell him to use the default 'management' vrf to send queries for Ganymede
    source-interface mgmt0;... .and send mgmt interface

    AAA authentication login default group Ganymede; Use Ganymede for auth login
    AAA authentication login console Group Ganymede; Use Ganymede for auth login console
    AAA authorization config-commands by default local group Ganymede; use Ganymede for permission to config command
    AAA authorization by default Ganymede local group orders; use Ganymede for normal control authorization
    Default accounting AAA group Ganymede; Send documents to Ganymede

    I hope that works for you!

    (This may change a bit, when you move to ACS 5.x - that we chose not to do complex auth command (using only shell profiles) to remedy this you go back as a nexus for the 5 k - and it makes the command auth (operator network vs network-admin) based on the one - if you just do not configure authorization to order aaa on the 5 k)

    Rob...

  • Total connection time how to account with GANYMEDE.

    Hi, we have the following scenario, this company uses two methods for remote access (for employees only): through RAS connections, or by using VPN clients to connect to a 535 PIX over the Internet. We need to do accounting for the total connection time, in the case of RAS connections is easy, we run AAA GANYMEDE + between the RA and the ACS (ver 2.1) and check the start/end time. But with the Internet connection start/stop time reflects the total time for each connection by user i.e. telnet, snmp, ftp, etc. but what connections can be simultaneous (or not), so we can not just add every time total of connections to a single user, it could be greater than the actual time that this user has been really connected. So how could account us for in this case total connection time?

    Thanks in advance for your recommendations

    Unfortunately you don't have. Accounting for users in the PIX VPN is on the Board to design for some time now, but so far has not been implemented. You can check the status on bug ID CSCdu01327 for other updates.

  • Cisco ISE with GANYMEDE + and RADIUS both?

    Hello

    I'm wired opening of authentication on a network using Cisco ISE. I studied the conditions for this. I know that I need to enable the RADIUS on the Cisco switches on the network. The switches in the network are already programmed to GANYMEDE +. Anyone know if they can both operate on the same network at the same time?

    Bob

    I suppose that Ganymede is configured (with ACS 4.x or 5.x) for the peripheral administration via telnet/ssh, and now you need the RADIUS (radius) to authenticate 802. 1 x. Yes they can both work on the same network at the same time.

    ~ BR
    Jatin kone

    * Does the rate of useful messages *.

  • Router with GANYMEDE locked out

    Hello

    I made a rookie mistake today and set up one of our routers to use the following configuration:

    aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default local group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
    We use RADIUS for authentication - and GANYMEDE for authorization, so needless to say I'm stuck on the router. I wonder if the only way to get past it's password reset the router, or if there is a way for me to reconfigure my RADIUS/RADIUS server to allow access to this device with this configuration. Thank you

    Since you 'enable' as the fallback method, simply maket GANYMEDE + server unavailable to this router (null road somewhere upstream, ACL, etc.) and then the router should allow you to connect by using the password to enable instead of the name of user and password.

    Note: I assume that the default authentication applies to the console or VTY lines, but I can't say if that will be the case the complete configuration was not displayed.

  • Offering personalized with GANYMEDE + (ACS 5.4) - NX - OS RBAC limited access

    Hello

    I created the RBAC personalized depending on NX - OS.

    Role: Limited_Admin

    11 denies config t command. mgmt interface 0

    10 permit command read

    9 permit config t command. interface *; *

    8 allow the copy running-config startup-config command

    7 permits ping command *.

    6 allow the traceroute command *.

    I created a profile Shell with the following attributes that place the user in the role of Limited_Admin and that mapped to the rule of authorization policy.

    Cicso-av-pair attribute

    Mandatory requirement

    Shell: roles of value = "Limited_Admin".

    When I connect with the Test account - I get mapped to the custom role as shown below but I have priv 15.

    user: testrbac

    roles: Limited_Admin

    account created through the REMOTE authentication

    Credentials such as ssh server key will be cached only temporarily for this user account

    Local login is not possible

    Any help is greatly appreciated. I had this working perfectly on the 4.2. but unable to make the rules work at 5.4.

    Configuration of the AAA Nexus:

    radius-server key *.

    source-interface IP Ganymede mgmt0

    RADIUS-server host x.x.x.x

    AAA group Ganymede Server + ACS SERVERS

    Server x.x.x.x

    the vrf use management

    AAA group Ganymede Server + ACS SERVERS

    AAA authentication login default group ACS-SERVERS

    AAA authentication local console connection

    Default accounting AAA group ACS-SERVERS

    AAA authentication login error-enable

    I saw it and that's what I wanted to see and use it as a syntax/format on nx under role

    ike this
    

    Role: Limited_Admin
    

    11      deny    command                         configure terminal ; interface mgmt0

    However I think you tried and confirmed that it didn't ' work so I started to think it might be a bug in the Os. Glad it works for you.

    Jousset
    * Note help messages *.

    Sent by Cisco Support technique Android app

  • 5.2 ACS with Ganymede + can not support switch Alcatel.

    I have a few Alcatel Switch and I want to use tacscs + ACS 5.2 for Alcatel Switch admin authentication.

    the reason: 13011 failure not valid GANYMEDE + query package - possibly mismatched shared Secrets

    But I've been checking the secrecy is correct.

    Before I tried ACS associated with vision 4.2 is working.

    Pls review of attachment for the ACS report.

    Thanks for giving me suggest.

    Hello

    Can't give an you answer, but witch alcatel model/version do you run?

    I have the same problem with OS6250 (6.6.1.636.R01) and acs5.2 unpatched. I'm looking for alcatel or acs bugtrack

    you looked: 144246 PR on:

    http://www.alcadisipsolutions.nl/files/Support_files/Alcatel-Lucent/OmniSwitch/OS6250/Firmware/OS6250%20AOS%206.6.1%20-%206250%20+%206250M%20models/OS6250%20AOS%206.6.1.739%20R01/OS6250%20AOS%206.6.1.739%20R01%20Release%20Notes.pdf

    David

  • I am unable to connect with GANYMEDE + connection after the addition of aaa authorization network command

    Hello

    I test an aaa authentication switch when it does not communicate to ISE, and I found a strange behaviour. After that I added the aaa accounting and authorization authentication controls and reloaded the switch I was not able to connect to the switch with the GANYMEDE login

    The switch continued in cycles showing the banner give 3 times authentication failure message and then the cycle begins with the failed, banner and sign message

    I removed the aaa authorization network command and I reloaded the switch and I was able to connect successfully.

    could someone help me with this problem.

    Hi Nitesh-

    This command (... aaa authorization network) has nothing to do with the admin authorization on the n basis (in this case, the switch). This command applies to the network connections such as PPP, SLIP, etc.

    In addition, aaa authorization can be performed by Ray and not only GANYMEDE +. RADIUS is not too powerful and you can provide authorization command sets but you can always return roles and different levels of privilege.

    Have you tested the above configuration syntax? I did and it works as expected!

    Thank you for evaluating useful messages!

  • 4.2 ACS profiles with Ganymede?

    Hello

    I use 4.2 ACS (device) with network access profiles. It's a very big problem that profiles only support the radius Protocol, I need to use the Protocol Ganymede with profiles. I need Ganymede for permission command. Is it possible to have such a regulation on ACS 4.2:

    -If the logging of NetworkDeviceGroup1 using RADIUS uses local authentication

    -If the logging of NetworkDeviceGroup2 using Ganymede use RSA securID (external Radius Authentication).

    Best regards

    Hello

    GBA 4.X NAP works only with the RADIUS.

    -If you want you can go to ACS 5.X, which is more flexible.

    run the IT role-based authentication / authorization and you can combine roles you need to be more flexible.

    Please visit the sites:

    1) http://www.youtube.com/watch?v=Xin98O-Q4JY

    2) http://www.youtube.com/watch?v=vOxcrEU_-Gw&feature=related

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/access_policies.html

    Kind regards

    Talal

    ==

    Remember responses of the rate that you find useful

    Please note the answers that you find useful and mark as answer - when is it :-) - so that others can easily find

  • Problem with GANYMEDE + (ACS) and cat 2950

    I have configured the 2950 as below and properly configured ACS and I can connect to the 2950 using this configuration, the problem lies after that I go to enable and try any command, I get approval to next error command failed.

    What I missed out the config that will allow me to execute commands?

    AAA new-model

    AAA authentication login default group Ganymede + local

    AAA authorization exec default group Ganymede + local authenticated by FIS

    AAA authorization commands 15 default group Ganymede + authenticated if

    AAA authorization network default group Ganymede + local authenticated by FIS

    AAA accounting exec default start-stop Ganymede group.

    orders accounting AAA 15 by default start-stop Ganymede group.

    AAA accounting network default start-stop Ganymede group.

    GANYMEDE server host ***. ***

    radius-server key 7 *.

    Thanks in advance.

    Jon

    Hi Jon,

    AAA of the switch seems ok, maybe you need to take a look at your ACS.

    Check the following information, where you have to apply it in your ACS config:

    http://www.Cisco.com/en/us/products/sw/secursw/ps5338/products_configuration_guide_chapter09186a00801fd6fc.html#wp676529

    Rgds,

    AK

  • With Ganymede ACS authentication problem

    My organization was using ACS with AD to authenticate users for access to network devices.

    But lately, it does not work. There has been no known changes.

    Can anyone help point the possible problems or links to see how the actual configuration of the CSA to be or look like for that to work.

    My apologies if this is naïve question, am not not so easy with ACS.

    Thank you!

    Hello

    There are two ways to correct the message 'windows dialin permission required. You can either add permissions to call on the user accounts on your database of Windows, or you can remove the option "Require Dialin permissions" ACS. To do this, go to "External user databases" and select "Database Configuration". Then go in your database of Windows and click "configure". The first option is a

    box that gives you the opportunity to "make sure that grant dialin permission is checked.

    Checking this box will cause the error you get if your windows users do not have permissions to call. If you uncheck this box, it must clarify this.

    HTH

    JK

  • integration of snort IDS with vshield product

    Hi dear all,

    We are in the start mode of virtualization. Is it possible to integrate snort rules inside product vshield? How to integrate an ID with vShield? Please help me.

    Hello

    vShield Edge and App are virtual appliances that cannot be changed. So, the installation of SNORT or whatever it is inside the actual virtual appliance is not possible. However, you can always have installed SNORT and running on another computer connected to the same vSwitch (or vDS) virtual and then configure port mirroring to send all traffic to this specific virtual machine. In this way, you are always notified to any alarms/offences detected by SNORT within the network. See the following blog for tips on how to do (vSphere 5 new features network & #8211;) Duplication of port | VMware vSphere Blog - VMware Blogs)

    I hope this helps...

  • List full names and class IDS

    Is there a complete list of all the built-in class IDs with their names in programming?

    I looked at the help page of the ID LV2012 class property located here: http://zone.ni.com/reference/en-XX/help/371361J-01/lvprop/gen_class_id/, but it's incomplete. For example, the RadioButtonsControl has a 72 ID and is not listed.

    Or better yet, is there a screw there that can convert an ID U32 value in the corresponding class name?

    Try this.

  • GANYMEDE Config question

    Hello

    This is the configuration for GANYMEDE but is not authentication works.

    AAA new-model

    !

    !

    connection of AAA 5 authentication attempts

    enable AAA authentication login default group Ganymede + local line

    the AAA authentication enable default group Ganymede + activate

    AAA authorization exec default group Ganymede + local

    AAA authorization commands 1 default group Ganymede + local

    AAA authorization commands by default 15 group Ganymede +.

    AAA accounting exec default start-stop Ganymede group.

    orders accounting AAA 1 by default start-stop Ganymede group.

    orders accounting AAA 15 by default start-stop Ganymede group.

    radius-server host 14.24.6.8

    radius-server host 17.24.66.1

    RADIUS-server timeout 1

    RADIUS-server application made

    The problem must be resolved

    Advanced thanks.

    Concerning

    Dhananjay.M

    Number of things before hit us part of troubleshooting:

    1.] RADIUS-server timeout 1 ->> is a time interval for when waiting for server for the AAA client to respond. 1 sec is too aggressive, don't know what that allows you to configure this prompted. Pleasee defined only at least 5 seconds.

    2.] you have configured the shared secret on the AAA client?

    Run debugs it on the switch/router, try to connect with Ganymede credetials and paste the o/p here.

    debugging Ganymede

    Debug aaa authentication

    ~ BR
    Jatin kone

    * Does the rate of useful messages *.

Maybe you are looking for