Issue of AAA NX - OS

Similar Questions

• Issue of AAA - Line Con 0 = login authentication (password)

  Good afternoon everyone,

  A simple nice for someone I am sure... I only of remote access to the network kit and therefore cannot test access to the Console.

  I have a switch with the following configuration (excerpt)

  !

  Password username Admin Password123

  !

  AAA new-model

  AAA authentication default login group Ganymede + local

  !

  Line con 0

  Cisco connection authentication (where cisco is representative of a password)

  NOTE: I have not username cisco password Admin in global config

  My question is: with this current config access Console will stop using the configuration of default Ganymede for authentication and don't allow access to the line of the console if the cisco password is specified? In this case that the password is not defined in a global access, would be denied?

  I've seen it before where you have exactly the same set up, but instead of referring to a value of password on the console line, you specify a list of names.  For example, authentication of connection local CONSOLE_USERS, which would make sense, because you would be referring to a group on the Ganymede server named CONSOLE_USERS and only users defined in this group could access through the console, while the ACS server is running!

  Any assistnace appreciated as I really want to get my head around ACS unconditionally

  Thanks in advance

  David

  Yes, David, you can safetly delete this "authentication to connect cisco" line con 0.

  About radius server take a look on:

  http://www.shrubbery.NET/tac_plus/

  On the radius server, I recommend freeradius for these tests.

  (there much capacity of fever, then cisco ACS, but it can allow you easy test of the basic functions)

  ---

  Michal

• Issue of AAA

  I would use 2 different servers of Ganymede with 2 different keys on an AS5300. I see that I can add as many servers-Ganymede as I want a config but I seem to only be able to add in 1 key. Two RADIUS servers are the property of 2 different 3rd party companies. Is it possible, or you can add 1 key in the router config?

  Concerning

  Mary

  Depends on the IOS version you are using. With IOS

  12.3 and greater, you can use different Ganymede

  keys as seen below on the 3640:

  C3640 #sh run | I have radius-server

  123456, 192.168.15.208 host key radius-server

  host key 192.168.3.10 radius-server 12345678

  RADIUS-server application made

  C3640 #.

• AAA accounting report is not with issued orders.

  Hello everyone, I have a problem with the AAA accounting on my ACS 4.0 device. When I view the posting journal lists the connections, protocols and addresses IP but not the commands executed on the specific switch. When I debug AAA accounting I see ouput but when I debug Ganymede accounting I see nothing. An exammple of my config is:

  AAA new-model

  AAA group Ganymede Server + ACS

  Server [ip address here]

  Server [ip address here]

  AAA accounting exec by default start-stop group ACS

  AAA accounting command 0 arrhythmic group ACS

  orders accounting AAA 15 start-stop ACS group

  RADIUS-server key [here].

  I left on the framework for the authentication of the configuration (in the example above) that it works very well.

  Someone at - it ideas why the actual orders are not be captured on GBA?

  Thanks in advance.

  GBA, accounting of the order must be recorded in the Administration of GANYMEDE + do not connect not the journal GANYMEDE + accounting! Don't ask me why, what just. At least it is on my own and took me a while to discover as well.

  Hope this helps

  Concerning

  Mike

• PIX, PDM and AAA issues

  I have a PIX 520 in the laboratory running 6.3.3 and PDM 3.0. I tested AAA authentication and authorization to our ACS server and run into problems.

  I have two groups put in place on our ACS server. A group can be accessed freely, the other group is set to the top with a Shell command authorization set that limit orders so that they can watch the running-config and a few other things. Users of both groups can connect to the PDM or SSH/telnet/series in the unit and are authenticated and authorized correctly.

  The configuration below works fine, until I pull the ACS server off the network. Because it is not any backup authentication or authorization to order method I am dead in the water. When this happens, I can always connect via the serial console, by using the 'pix' username and password enable, I just cannot run the command 'Enable' mode privlieged or any other control besides. (I get an error "Permission has no orders").

  Here's a current configuration:

  GANYMEDE + Protocol Ganymede + AAA-server

  AAA-server GANYMEDE + (inside) host 1.2.3.4 123456 timeout 5

  Console telnet authentication GANYMEDE AAA +.

  the AAA console ssh GANYMEDE authentication +.

  AAA authentication GANYMEDE serial console +.

  AAA authentication enable console GANYMEDE +.

  Console AAA authentication http GANYMEDE +.

  order of AAA for authorization GANYMEDE +.

  Is it possible to set up a backup method for approval of authentication and control? If not, is there any other way the problem I'm running into?

  Let me know if you need more info. Thank you!

  Hello

  Sorry, I missed this earlier. There is a failure on the PIX for this and we have an open enhancement request to add several methods of authorization to the PIX - CSCea04538. At this point, your best bet is to bug of your account team to get this feature added to the code of PIX to come. Sorry for the inconveinence.

  Scott

• issue certificates of 802. 1 x authentication and X 509

  Hello

  Can someone please help me with the following question:

  First off I am a guy from Windows Server/PKI/AD etc. rather than CISCO, even if I have a CCNA :)

  I take care of PKI to my company and will work with the team CISCO that are the introduction of CISCO's ISE, we will use X 509 CERT on the suppliants (desktop/laptops Windows computers mainly)

  What I want to know is something pretty basic, but I saw not written anywhere

  Question 1:

  First stop, I guess it's the AAA (ISE) server is the entity that verifies the pleading certificate X 509, rather than the AP (access wireless router for example point)? is that correct

  Question 2:

  As supplicants X 509 certificate is public (for example, it is not secure and anyone can ask what it is normal) I guess the AAA server must encrypt a (random number for example) value with the public key of supplicants (of the X 509 cert) then send this value to the supplicant by which the supplicant decrypts with its private key (that no one else has as usual). Then the supplicant figure the value even with servers AAA public key (which is held in servers announced AAA X 509 cert) cela send on the AAA server and once that deciphers AAA server (with its private key) if the value matches the value originally sent to the supplicant then the AAA server can continue with authentication etc.

  The above assumption is correct?

  If the above is correct, not ISE always act like that or can you lower the security and get just the ISE server to check whether he trusts the issuer of the certificate (CRL does OK) the pleading X 509 Cert and not bother to send the encrypted packet as described above (this of course would ensure not begging-1 is actually "supplicant" - 1).

  Thank you very much in advance

  Ernie

  Answers:

  1 - Yes, ISE verifies the certificate presented by the device of end-user (begging) against his PB of authority certificate TRUSTED internal to import in ISE root and intermediary certificates where you use CA non-public servers (this is my case for EAP - TLS) such as Verisign, Entrust, etc. UNFORTUNATELY, ISE allows you only to have 1 cert for the use of EAP in the list (PEAP, EAP - TLS, etc.), which means that you CAN not EAP - TLS and PEAP running on different SSID. The problem is now that Entrust for example use an intermediary called L1K Entrust which is not included in trust for the devices Apple and Win 7 CA. This causes a certificate not approved for IPADs warning then you need to trust this certificate but for Win 7 features the PEAP TLS Tunnel, Setup will fail if the connection cannot be established if you uncheck "VALIDATE SERVER" on Win 7 for this SSID profile.

  2 - you can create a condition that validates the issuer cert but the authorized Protocol is EAP - TLS or PEAP so that the actual process for one of these protocols, based on my understanding is actually. For example, Protocol PEAP, the configuration of the TLS Tunnel is the 1st step, so once the configured secure tunnel then the inside MSChapv2 + EAPOL is performed and finally the data passes through the tunnel

• AAA authentication as user name failed

  I recently tried to install an ios CiscoWLC 4402 7.0.235.0 with RADIUS on Win Serv 2008r2, I implemented my type of wpa2-ent aes, Microsoft PEAP encryption security and exported a certificate from my CA server and installed on my client machine.

  I don't know what I'm missing, let me know what information should still help you. I have attached a few screenshots.

  0	My Jul 22 10:25:58 2013	Does not include client: MACAddress:8 c: 70:5 has: d2:f6:f8 Base Radio MAC: 00:1e:79:d6:25:e0 Slot: 0 username: unknown Ip address: reason: 802.1 x authentication has failed 3 times. Used: 4
  1	My Jul 22 10:25:58 2013	Authentication failure AAA for UserName:host/106LPT073.itserve.com the user Type: USER WLAN
  2	My Jul 22 10:25:54 2013	Authentication failure AAA for UserName:host/106LPT073.itserve.com the user Type: USER WLAN
  3	My Jul 22 10:25:49 2013	Authentication failure AAA for UserName:host/106LPT073.itserve.com the user Type: USER WLAN

  The issue seems to be with certificate server-side. Based on your first post, I realize you are using a third-party certificate. Is it possible that we will issue a new certificate and try again. Or please, export the certificate and attach it in your next reply.

  Conditions of certificates for PEAP and EAP

  http://TechNet.Microsoft.com/en-us/library/a1ac8d7e-3479-46B4-932b-ab43362e021b

  By default, these logs are located in the %windir%\System32\Logfiles

  http://TechNet.Microsoft.com/en-us/library/dd197464%28V=WS.10%29.aspx

  ~ BR
  Jatin kone

  * Does the rate of useful messages *.

• AAA authentication and privilege-mode

  I want to configure authentication aaa with accounts of local user on the switch. The idea is to come directly into the "privilege" without the enable command mode.

  I have configured the following commands:

  AAA new-model

  AAA authentication login default local

  What other commands (permission) are necessary to obtain the command of privilege?

  Thank you

  Pascal

  Dear Sir

  For the console you must issue to order more.

  There is a hidden within IOS command you will need to apply: "authorization aaa console.

  Who should fix it

  Kind regards

  ~ JG

  Note the useful messages

• AAA GANYMEDE + accounting - CLI question by user not appear in the report of the ACS.

  Can I know why CLI cancelled by the user does not show on GANYMEDE ACS accounting report. The length of time is displayed, but I also wanted to connect what is the commands issued by the user.

  WHA is missing here?

  enable AAA authentication login VTY P1_ACS local group

  Group default AAA authorization exec local P1_ACS authenticated by FIS

  AAA authorization exec CONSOLE none

  AAA exec by default start-stop accounting P1_ACS group

  AAA commands 5 default start-stop accounting P1_ACS group

  AAA commands 15 arrhythmic default accounting P1_ACS group

  Accounting logs command is stroed in the newspapers of the administration of Ganymede.

  There is also a known issue on ver 4.1.1 and we must

  apply the ACS 4.1.1.23.5 patch to fix the problem.

  Patch for the unit is available on

  http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-Soleng-3DES

  The patch name: ACS SE 4.1.1.23.5 rollup

  Acs hotfix for windows is available on

  http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES

  The patch name: ACS 4.1.1.23.5 rollup

  CCIE Security

• Issue of operability of the ACS as RADIUS with ASA 5.0?

  Hello

  I'm trying my VPN to get authenticated user with RADIUS (ACS 5.0). and VPN users database is created in AD. Now when I am trying to connect through the Cisco VPN client, I am unable to do so. Infact, I get an error message (through debugging at the level of the SAA for aaa and isakmp) my RADIUS server is DOWN.

  Please let me know is there any compatibility issue with ACS 5.0 on it because everything was working fine on my version 4.2 of the ACS.

  Concerning

  Ritesh

  Ritesh,

  Yes, there is a lack of ACS 5.0 with vpn authentication.

  When you try to connect with the VPN client. you will not see any hits in the follow-up and the views.
  The ASDM logs: you'll see radius server is not accessible.
  Debugs you show RADIUS period.
  This will work with Ganymede.

  Access policy rule was does not. Also, could not use RADIUS as hit CSCsy17858

  http://cdetsweb-PRD.Cisco.com/apps/goto?identifier=CSCsy17858>; Used Ganymede + instead of RADIUS.

  If you want to use the RADIUS then you need to upgrade your version of acs to 5.1

  You can down load patch 9 (5-0-0-21 - 9.tar.gpg) and ADE-OS (ACS_5.0.0.21_ADE_OS_1.2_upgrade.tar.gpg) from the below path:

  Go to Cisco.com > support > download software > Security > Cisco Secure Access Control System 5.0 > Secure Access Control System Software 5.0.0.21 >

  Reference: update of the CSA since version 5.0 to 5.1:
  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_upg.html

  HTH

  Kind regards

  JK

  The rate of useful messages-

• Using MS CA issued certificate

  Looking for setup guide to use 2-factor authentication in an MS Windows environment. My setup: MS Windows 2012 area including MS Certificate Services, MS Windows with AnyConnect clients. ASA-ASA-5515/ASDM VPN device 9.2(2)4/7.3(1). I would use the Microsoft CA has issued personal certificates and domain user name and password for authentication of the user's windows when establishing VPN. How can I set the ASA to validate the user issued MS CA certificate to the MS-CA-Server? All the examples of configuration, I've seen uses the SCEP Protocol where the ASA asked a certificate to the CA Server MS on behalf of the user. This is not what I want. I would like that the client AnyConnect to present the certificate already issued (in the certificates MMC console: certificates - current user-> personal-> certificates) to the ASA. ASA then validates the certificate.
  Like ASA forward validation of name and password of the user to the LDAP server - in my case the domain controllers Windows Ms. How do I configure this?
  Best regards, Henrik

  Take a look at this configuration guide:

  ASA AnyConnect Double authentication with Certificate Validation, mapping and pre-fill Configuration Guide

  It appears to address the case of the use you want to re certificates. They use local authentication as the second factor of authentication, but you could also just use AD or LDAP or RADIUS as your AAA server.

• AAA accounting on routers

  Hey guys,.

  I'm looking for help to set up my router to where it makes account of my CSACS all commands run by users. For example, I login as the user bbaggins and I change a configuration of ACL, is there a way for the orders that I typed in being connected by the ACS?

  Thanks for your help.

  You must configure this Ganymede. Here are the commands.

  AAA accounting exec default start-stop Ganymede group.

  orders accounting AAA 1 by default start-stop Ganymede group.

  orders accounting AAA 15 by default start-stop Ganymede group.

  Command accounting logs are stored in the newspapers of the administration of Ganymede. There is also a known issue on ver 4.1.1 and we must apply the ACS 4.1.1.23.5 patch to fix the problem.

  Patch for the unit is available on

  http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-Soleng-3DES

  The patch name: ACS SE 4.1.1.23.5 rollup

  Acs hotfix for windows is available on

  http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES

  The patch name: ACS 4.1.1.23.5 rollup

  Kind regards

  ~ JG

  Note the useful messages

• 2600 router: faced with setting up the accounts user and AAA

  I use SDM to configure easy VPN connection and being a newbie I'm fighting with AAA and the creation of the necessary user account. The SDM Assistant said I must have active AAA and a user account. I found this doc from Cisco using google:

  http://www.Cisco.com/en/us/docs/iOS/12_2/security/configuration/guide/scfathen.html#wp1000971

  and following the instructions, I entered these commands in the cli:

  Router (config) #aaa new-model

  Router (config) #aaa authentication login default local

  but my normal connection and the user name and password do not work in the CLI as soon as I did it. I have the router powerdown and restart it to retrieve the control.

  To be honest, I found things really hard Cisco instructions, I don't understand method-list RADIUS Kerberos GANYMEDE stuff so I was wondering if there was simple instructions there to set up the user account necessary to go forward with the vpn Wizard easy in SDM.

  Thanks for the pointers.

  Hello Anthony,.

  Once you enable the aaa new-model, all applied to the invalid lines previous authentication mechanisms. That's why you should do one of the following values

  Do not issue 'aaa authentication login default local' or if you are forced by SDM, or create a username for yourself with high private, because this command will effect console or VTY lines that their authentication is left by default and require the username and password each time you connect, or you can create a list that has 'no' as a method and apply to the console line to ignore the console authentication.

  username anthony priv 15 password xxxx

  Once you enter a username as shown above, you can connect via the console with this username and pass if "aaa authentication login default local" is issued.

  RADIUS and Ganymede methods are servers that has the ability to contain the names of users with more advanced configurations. For simple authentication, you can use local authentication, this is why you should not mess with Radius or Ganymede at the moment.

  Concerning

• Enable AAA fails on the second ACS server

  I have 2 servers Windows 2003 4.2 ACS, who authenticate with AD. I have configured authentication GANYMEDE + both for my PIX 515 running version 7.24. GANYMEDE + authentication works fine on both. However, when I use the 'aaa authentication enable console LOCAL ProsperAdminAuth', the enable password only works with the first ACS server. When the first server is unavailable, it fails on the second ACS server and authentication failed on ACS "ACS invalid password" reports. It does not allow the LOCAL password. I checked all the password and there is no problem there. I know that for you, because GANYMEDE auth works. Someone at - he seen elsewhere issue or know what I might try?

  Thank you

  Vivek

  Hello

  Configuration of external database is not replicated between servers ACS so my guess here that is on your ACS secondary if you go to the external-> unknown user policy user databases, you will find that under configure enable password behavior you are on "internal data" instead of "The database which the user profile is required."

  -Jesse

• AAA authentication problemssss

  Hello

  When I use commands below aaa and attempt to authenticate, I am able to authenticate with GANYMEDE +, but further then when I do "sh run" I get message "command failed authorization." Please notify.

  Test-Switch #sh run

  Authorization of command failed.

  AAA new-model
  AAA authentication login NETWORK_ACCESS group Ganymede + local activate
  the AAA authentication enable default group Ganymede + activate

  AAA authorization exec default group Ganymede + authenticated if
  default 15 AAA authorization commands group Ganymede + none

  AAA accounting exec default start-stop Ganymede group.
  orders accounting AAA 15 by default start-stop Ganymede group.

  the String key of the host IP radius-server

  line vty 0 4
  transport input telnet ssh
  authentication of the connection NETWORK_ACCESS
  exec-timeout 10

  BUT as soon I just changed the aaa as configuration below I'm able to run sh run commands as usual without any error.

  AAA new-model

  AAA authentication login default group Ganymede + local

  AAA authentication login no_tacacs local

  activate the default AAA authentication no

  AAA authentication login default group Ganymede + line

  AAA authentication login no_tacacs line

  authorization AAA console

  AAA authorization exec default group Ganymede + local authenticated by FIS

  AAA authorization exec default group Ganymede + authenticated if

  AAA authorization exec local no_tacacs authenticated by FIS

  AAA authorization commands 0 no_tacacs no

  AAA authorization commands 1 no_tacacs no

  AAA authorization commands 15 no_tacacs no

  AAA accounting exec default start-stop Ganymede group.

  orders accounting AAA 15 by default start-stop Ganymede group.

  orders accounting AAA 0 arrhythmic default group Ganymede +.

  AAA - the id of the joint session

  Please advise, thank you. its urgent

  To approach the issue from a slightly different angle - your original set of commands instruct the router to send the application for leave to GANYMEDE for each command to level 15, which includes see the race. Your GANYMEDE server was not configured to allow your use to see the race and if your attempt to show performance was rejected.

  Your revised set of orders doesn't send application to GANYMEDE for level 15 commands (or other classes of orders by the way) and so there is no question here to see the race.

  As far as I can say that your revised set of orders do not permit for orders. You can achieve this result just as easily (and with fewer complications in your configuration) If you delete just aaa authorization command from your config lines.

  HTH

  Rick