L2TP and GANYMEDE +.
Hello.
I have PPTP server on my Cisco 3845 router with authentication on freeware GANYMEDE + Server (Linux). GANYMEDE define ACLs and IP address for users.
Recently employers decide to migrate to L2TP over IPsec. Moreover the old server PPTP should work.
Can I use GANYMEDE server to authenticate L2TP users?
I like this config on GANYMEDE.
user = {User1
CHAP clear = "password."
Member = vpdn
Service = ppp Protocol = {ip
addr = 172.20.20.200
inacl = 2005
}
}
Sorry for my Enflish.
Please see the document below. This document describes how to configure the 2 layer Tunnel Protocol (L2TP) with GANYMEDE. It includes the configurations of the sample for L2TP (LAKE) GANYMEDE access concentrators servers + network L2TP (LNS) GANYMEDE Server + servers and routers.
http://www.Cisco.com/en/us/Tech/tk827/tk369/technologies_configuration_example09186a0080118d5f.shtml
Tags: Cisco Security
Similar Questions
-
Hello
Anyone know when ISE version 2.0 came and Ganymede will be supported?
Thank you in advance.
Joana.
ISE will support most of the GANYMEDE + v1.5 features. This version is scheduled for November 2015.
Please rate useful messages and mark this question as answered if, in fact, does that answer your question. Otherwise, feel free to post additional questions.
Charles Moreton
-
RADIUS and Ganymede + running simultaneously?
I have a Secure ACS 5.3.40 running GANYMEDE + and I need to also run 802.1 x radius to meet DISA requirements, I've been working on it for a week. I am unable to get the characteristics of work, all AD connections are already there for GANYMEDE + and so I'm not sure how config, Ray can someone help with the procedures.
Hello
in the configuration of the aaa you must specify the two authentication 802. 1 x that points to the RADIUS and peripheral administration of Ganymede.
Configuration of the network device ACS apply both radius and Ganymede keys.
There will be no conflict for the same as the two have different sets of commands.
Thank you
Please rate if useful...
-
Can I use an ACS as RADIUS and GANYMEDE to the same ASA Server?
I want to GANYMEDE to make the accounting of the SAA, meanwhile, the ASA need RADIUS for authentication ssl vpn. Is it possible to reach this object with only a CSA?
Yes, you can use both. Allows you to add ASA as radius and Ganymede.
ACS-->---> aaa-client network configuration
(1) ASA---> 1.1.1.1---> authentic using Ganymede
(2) ASA1---> 1.1.1.1---> optout by radius
Don't forget the host name cannot be the same.
Kind regards
~ JG
Note the useful messages
-
Hi all
I want to download a free, yet reliable servers AAA and GANYMEDE , can you guide me? Also, I need help with their configuration for study purpose.
Both of them are GANYMEDE, do you also need RADIUS (your post says AAA)? Assuming you just need GANYMEDE:
Probably the best known is:
http://www.shrubbery.NET/tac_plus/
Also, the go RANCID.
For a solution based on Windows you can also consult:
If cela messages answers your question or is useful, please consider rating it and/or mark as answered.
-
authorization for AAA and GANYMEDE unavailable server scenario
I installed a PIX for users authentication for telnet and enable access. I have permission to install a subset of users can run only display orders. This set works as expected.
The problem is when I simulate and network failure and try to get access the PIX console. I can't run the enable command because the command shall not be permitted. I have to use means of recovery of password to access the PIX. How to do this? Can I have permission to order processed locally? Can I associated with the command show a lower level of the priveledge? If so, how and how can I limit the user to this level of privilege (via GANYMEDE)? I confiscate doing?
Thank you
If the PIX is configured for GANYMEDE authentiaction and RADIUS server is unavailable for authentication, there is no way to rescue or get around this issue at this time.
You can configure the pix to get back to local authentication if Ganymede is not available.
Release then (I think 6.3 and above) who will be available.
-
same host for radius and Ganymede
Hello
can I put a host (asa for example) twice in the acs Server? one for Ganymede to grant administrators access exec and the other for radius authenticate remote users.
I don't want remote users to be able to get exec mode.
Or how should I configure this?
Yes, you can do it. Network configuration ON acs
Add
ASA---> 10.1.1.1---> Auth using Ganymede +.
ASA1--> 10.1.1.1---> Auth using RADIUS
Host name cannot be the same.
Kind regards
~ JG
Note the useful messages
-
RADIUS and GANYMEDE + authentication
We authenticate our systems through dot1x. I also need to be able to authenticate our Cisco admins using the same ACS server. I see how to configure a switch to make the two GANYMEDE + and RADIUS, but I do not see how implement GBA to allow a switch to use GANYMEDE + and RADIUS.
Can someone give me a pointer?
Thank you
You need to put in place once the authentication on the switch.
AAA authentication login default group local Ganymede
Group AAA dot1x default authentication RADIUS
AAA authorization exec default group Ganymede + authenticated if
Group AAA authorization network default RADIUS
Cisco RADIUS-server host 2.2.2.2 keys
Cisco GANYMEDE-server host 2.2.2.2 keys
The GBA, you must add the switch twice.
ACS---> network configuration---> add aaa-clinet
Host name switch1
IP: 3.3.3.3
With the help of authentic: RADIUS IETF
Add another switch
SWITCH2 host name
IP: 3.3.3.3
With the help of authentic: Ganymede +.
Kind regards
~ JG
Note the useful messages
-
Usernames easy VPN and Ganymede +.
Dear all,
It's on with Ganymede and easy VPN user connections.
According to the current configuration, we use local connections configured on the router to allow remote vpn users to connect it.
Now, we want to use Ganymede + to authenticate users for their accounts.
So please give me an example of configuration, a doc or a link for reference.
Eve.
Hi Moinahadidja,
in case you still need help with this, here is an example:
http://www.Cisco.com/en/us/Tech/tk59/technologies_configuration_example09186a00800a393b.shtml
HTH
Herbert
-
GANYMEDE + and local access connection
Basic summary is that I want to have GANYMEDE + and local connection to access router on the vty lines. So, I did the two groups below. Goody obviously is what will use GANYMEDE and Console uses the local connections. I divide them between 0-4 and 5-15. It seems that whoever is more get first priority for authentication. If I move the Console to 0-4, knit then the local users and GANYMEDE do not. If I have Goody at 0-4, then GANYMEDE works, but local doesn't work. I know I'm missing something simple. Have two RADIUS servers, I doubt that the two will never back down, but in case I want user names Local to work. If I apply an access list to 4-0 and use SSH, as well as a list of different access to 5 15 and use telnet, it seems to work that way but doesn't help me if the internet goes down and I am trying to access the router via SSH on-site.
Thanks in advance.
David
AAA authentication login Goody group Ganymede + local
local authentication AAA Console connectionLine con 0
the Console connection authentication
line to 0
line vty 0 4
session-timeout 7
exec-timeout 5 0
authentication of connection Goody
entry ssh transport
line vty 5 15
session-timeout 7
exec-timeout 5 0
the Console connection authentication
entry ssh transportHi David -.
Correct me if I'm not understanding this correctly, but you want to use RADIUS servers for authentication ssh/console type and if they fail, you want the network device to use its local database.
If that is correct you should not need dividing lines and assign authentication lists. The first tribute that you have:
AAA authentication login Goody group Ganymede + local
Lists the Ganymede + and the local database as a possible authentication methods. They will be processed in the order they are configured so that the device will be:
1. use your servers GANYMEDE +.
2. If the GANYMEDE servers + inaccessible then the local database is used
You can test this by assigning 'Goody' to all your vty lines and then do your servers GANYMEDE + unavailable. To do as possible you can:
-Restart the server
-Stop the server interface
-Disconnect the device its uplink network
-Create a list of access on the uplink interface and connection block to the IP addresses of the servers GANYMEDE +.
I hope that helps!
Thank you for evaluating useful messages!
-
Router with GANYMEDE locked out
Hello
I made a rookie mistake today and set up one of our routers to use the following configuration:
aaa authentication login default group tacacs+ enable aaa authentication enable default group tacacs+ enable aaa authorization console aaa authorization exec default local group tacacs+ if-authenticated aaa authorization commands 1 default group tacacs+ if-authenticated aaa authorization commands 15 default group tacacs+ if-authenticated
We use RADIUS for authentication - and GANYMEDE for authorization, so needless to say I'm stuck on the router. I wonder if the only way to get past it's password reset the router, or if there is a way for me to reconfigure my RADIUS/RADIUS server to allow access to this device with this configuration. Thank youSince you 'enable' as the fallback method, simply maket GANYMEDE + server unavailable to this router (null road somewhere upstream, ACL, etc.) and then the router should allow you to connect by using the password to enable instead of the name of user and password.
Note: I assume that the default authentication applies to the console or VTY lines, but I can't say if that will be the case the complete configuration was not displayed.
-
GANYMEDE + authentication errors
I have problems to GANYMEDE + AAA working with my 3560 switches. I set up users, groups, and NDG on ACS SE, as per GBA CS course material and triple checked my keys to make sure they match. I have attached the debugging switch of authentication, authorization, and Ganymede. Can someone please tell me what I'm doing wrong?
Oh, if its SE which is not working.
To do this, ACS---> configuration network ===> table Proxy Dis---> click default ===> if you see delivenrance 1 to the aaa Server---> drag it to 'Prior to'---> and what is there under forward to---> Drag it server aaa--> submit + apply.
It should work now.
If you do not see distribution proxy option then go to GBA--->---> advanced option interface configuration---> enable the distributed array.
Kind regards
~ JG
-
With the help of Cisco ACS 5.2 (GANYMEDE +) with other than Cisco devices
Hi all
I was hoping that someone could help me with what might be a silly question. I'm trying to implement a solution whereby an operator can control all their nodes (other than Cisco) network via GANYMEDE + involved nodes are
Juniper M10i running Junos 9.2, M120
M320 running Junos 8.5 Juniper
Extremes of BD8810 and BD8806 running 12.4.1.17 XOS
3804 Alpine extreme Extremeware 7.8.3.5 running
My question is, can I use Cisco ACS 5.2 (or 4.2) to authenticate using GANYMEDE + to these other than Cisco devices. Has anyone else done this or I have to use RADIUS? If someone has done this are problems of interoperability with Cisco CS and Junos or XOS extreme. Thank you
/ John
John,
We have a very large deployment of Juniper (T-series, series MX, etc.). We use Cisco ACS and GANYMEDE to manage these devices. The configuration of the ACS is fairly simple. You'll want to create users to connect and match them to the classes on your JUNOS routers. Here is an example:
set system login user uid of engineering 2000
Set system login user engineering genius-class class
set the connection user uid to NOC 2001 System
Set system login user AC AC-class classdefine the system connection Engineering-class idle-timeout 15
define a connection system class engineering-class permissions all
define the system connection AC-class idle-timeout 15
define the connection class AC system class view permissions
Set connection AC-class permissions see the system configurationWe use two classes of genius and NOC. One is defined as a read / write and the second read-only. This is in turn then mapped in ACS (in our case version 4.2) by user or group (preferred). First, you change the configuration of the interface and add a Ganymede junos-exec service and do not enter the Protocol field. Then, you change the attributes of the user group. I've attached screenshots for both on this subject.
Hope this helps.
Derek
-
ACS 4.2 Wired and wireless group mapping
Hello
User1 connects to the switch, it belongs to the Group AD Domain_user and are mapped to ACS Group1 wich send the radius attribute to change the VLAN, this part works fine.
My problem is when the same user connects with its wifi card... He is still part of the domain_user and get still mapped to group1 on acs but now, RADIUS values are bad for the wireless.
Wired production vlan = 20
Prod wireless vlan = 120
What I want to do, it is something like:
ADGroupX Connect_type plus ACS Group1
ADGroupX + Connect_type2 = ACS group2
I tried to use the connection profile but the group mapping are not performed at this level. Ditto for NAR, my user must be able to log user wired or wireless and get the right vlan not get restricted by the NAR.
Another way would be to set up a username/password wireless on the internal database and add it to the ACS group good but which involve password management and not all client 802 support auth password (without user intervention)
Any idea?
Hi... this scenario is exactly what network access profiles are designed to address. Essentially, NAP to create a complete configuration based on network service.
So default ACS is a unique system of NAP (well I guess that 2 If you include RADIUS, and GANYMEDE) where any network service all RADIUS users would assume to use a single device type. NAP allows you to configure a service, the authentication, the mappings of groups and permissions Protocol.
The first part of the PAN you have to differentiate requests for authentication for each network service. This could be as easy to use the ip address of the AAA Client or NDG. If this is not possible, you can start looking at the attributes in the RADIUS request to find the attribute values that are unique to the switch or wlan.
Assuming you have managed to do is a matter of implementation of authenticattion and authorization policies-, but the main thing is that you will be able to send any returns RADIUS attributes to the device for the same user.
The user interface can take a little usual, then read the docs online and stick to it!
www.extraxi.com for all your reports ACS needs
-
2600 router: faced with setting up the accounts user and AAA
I use SDM to configure easy VPN connection and being a newbie I'm fighting with AAA and the creation of the necessary user account. The SDM Assistant said I must have active AAA and a user account. I found this doc from Cisco using google:
http://www.Cisco.com/en/us/docs/iOS/12_2/security/configuration/guide/scfathen.html#wp1000971
and following the instructions, I entered these commands in the cli:
Router (config) #aaa new-model
Router (config) #aaa authentication login default local
but my normal connection and the user name and password do not work in the CLI as soon as I did it. I have the router powerdown and restart it to retrieve the control.
To be honest, I found things really hard Cisco instructions, I don't understand method-list RADIUS Kerberos GANYMEDE stuff so I was wondering if there was simple instructions there to set up the user account necessary to go forward with the vpn Wizard easy in SDM.
Thanks for the pointers.
Hello Anthony,.
Once you enable the aaa new-model, all applied to the invalid lines previous authentication mechanisms. That's why you should do one of the following values
Do not issue 'aaa authentication login default local' or if you are forced by SDM, or create a username for yourself with high private, because this command will effect console or VTY lines that their authentication is left by default and require the username and password each time you connect, or you can create a list that has 'no' as a method and apply to the console line to ignore the console authentication.
username anthony priv 15 password xxxx
Once you enter a username as shown above, you can connect via the console with this username and pass if "aaa authentication login default local" is issued.
RADIUS and Ganymede methods are servers that has the ability to contain the names of users with more advanced configurations. For simple authentication, you can use local authentication, this is why you should not mess with Radius or Ganymede at the moment.
Concerning
Maybe you are looking for
-
Firefox losing all my tabs if I close when a youtube video is blocked. What is accettable?
I saved several groups almost 50 pellets.Yesterday, I was looking for some videos on Youtube. When some videos seen regularly, I select a video that seems to expect too much to appear.I close firefox.After the reopening, he opened with a default page
-
Cannot open multiple windows of firefox
The problem is that I can't open multiple windows of firefox to 1 times. He repeated to me that firefox is running or it turns right on the 2nd time support us firefox icon every time that I do this. Can you please come up with a solution. Yes, we ca
-
How to erase my pictures of my iCloud
How can I register in my photo of iCloud? so I can remove photos
-
How to have Firefox open on my extended desktop?
Until week last firefox would open where I had it last closed. Now it will open on the screen of my Macbook and I have to drag up to my big screen, which would not be so bad, except for that all additional Windows I open always open on the MacBook sc
-
My Apple TV seems to keep crashing everytime that Netflix is worn out - I know not what to do?
Whenever Apple TV serves to Netflix, it crashes and turns off completely. The light goes out on the box and the only way to try to get it working again is to turn off everything completely and start again! Even then, sometimes it doesn't work and it