Nexus, authorization to order with GANYMEDE.

Hello.

Can anyone provide an example of configuration to use Cisco Secure ACS 4.2 to enable permission to order with GANYMEDE.

Thank you.

Kind regards.

Andrea

Hello Andrea,

We moved to GBA 5.3 now - but we had our 5520 Nexus running against our old 4.2 ACS before this - so I chose the relevant bits of the config below:

username admin password network-admin role; user local administrator

feature Ganymede +; turn on Ganymede

radius-server host key; set the key for RADIUS server
AAA server Ganymede group + Ganymede; create the group called "Ganymede".
Server; set the IP address of the RADIUS server
the vrf use management; tell him to use the default 'management' vrf to send queries for Ganymede
source-interface mgmt0;... .and send mgmt interface

AAA authentication login default group Ganymede; Use Ganymede for auth login
AAA authentication login console Group Ganymede; Use Ganymede for auth login console
AAA authorization config-commands by default local group Ganymede; use Ganymede for permission to config command
AAA authorization by default Ganymede local group orders; use Ganymede for normal control authorization
Default accounting AAA group Ganymede; Send documents to Ganymede

I hope that works for you!

(This may change a bit, when you move to ACS 5.x - that we chose not to do complex auth command (using only shell profiles) to remedy this you go back as a nexus for the 5 k - and it makes the command auth (operator network vs network-admin) based on the one - if you just do not configure authorization to order aaa on the 5 k)

Rob...

Tags: Cisco Security

Similar Questions

  • Problem with GANYMEDE + (ACS) and cat 2950

    I have configured the 2950 as below and properly configured ACS and I can connect to the 2950 using this configuration, the problem lies after that I go to enable and try any command, I get approval to next error command failed.

    What I missed out the config that will allow me to execute commands?

    AAA new-model

    AAA authentication login default group Ganymede + local

    AAA authorization exec default group Ganymede + local authenticated by FIS

    AAA authorization commands 15 default group Ganymede + authenticated if

    AAA authorization network default group Ganymede + local authenticated by FIS

    AAA accounting exec default start-stop Ganymede group.

    orders accounting AAA 15 by default start-stop Ganymede group.

    AAA accounting network default start-stop Ganymede group.

    GANYMEDE server host ***. ***

    radius-server key 7 *.

    Thanks in advance.

    Jon

    Hi Jon,

    AAA of the switch seems ok, maybe you need to take a look at your ACS.

    Check the following information, where you have to apply it in your ACS config:

    http://www.Cisco.com/en/us/products/sw/secursw/ps5338/products_configuration_guide_chapter09186a00801fd6fc.html#wp676529

    Rgds,

    AK

  • My ipod video 5th generation won't play of smart playlists in order with 12.4 itunes, itunes can not remember how to sort things either. When you going to solve the problem?

    My iPod video 5th generation won't play of smart playlists in order with 12.4 iTunes, iTunes can not remember how to sort things either.

    When you going to solve the problem?

    Can I do to solve this problem?

    Use the view of songs to set the order you want. Right-click on the name of the playlist in the left sidebar, and then select copy to Play Order in the context menu. Sort the list on the left most column of numbers, or use view > sort by > order of Playlist. Device synchronization.

    TT2

  • I want to show Real Player. MOV videos integrated in chronological order with still photos in Windows Photo Gallery

    Windows Photo Gallery is not showing them to, and even less integrated in chronological order with still photos, which is very annoying. The computer I use a Vista Home Premium installed. And please, if you really want to be useful for your response, do not make assumptions about my level of knowledge and explain in detail all the actions that are needed.

    Otherwise, how can I view all my photos still in windows photos. For some reason photos dated 2005 (and probably earlier, if there were) not displayed although thay appear separately if I select a specific date.

    In other words I don't like how the machine of this miserable, I just want to see all my pictures and videos in chronological order without a lot of tweaking. And if the photo library will not appear videos RealPlayer (format my videos are store automatically stored like - and how stop what happens if it's not good for the Photo Gallery?), how can I change the in a format that will work with the photo gallery?

    Rant on.

    Windows Photo Gallery is not showing them to, and even less integrated in chronological order with still photos, which is very annoying. The computer I use a Vista Home Premium installed. And please, if you really want to be useful for your response, do not make assumptions about my level of knowledge and explain in detail all the actions that are needed.

    Otherwise, how can I view all my photos still in windows photos. For some reason photos dated 2005 (and probably earlier, if there were) not displayed although thay appear separately if I select a specific date.

    In other words I don't like how the machine of this miserable, I just want to see all my pictures and videos in chronological order without a lot of tweaking. And if the photo library will not appear videos RealPlayer (format my videos are store automatically stored like - and how stop what happens if it's not good for the Photo Gallery?), how can I change the in a format that will work with the photo gallery?

    Rant on.

    ====================================
    Windows Live Photo Gallery is supposed to display Apple
    QuickTime. MOV inches if you also install QuickTime from Apple.

    (FWIW... it's always a good idea to create a system)
    Restore point before installing software or updates)

    Windows Vista - system restore: frequently asked questions
    http://Windows.Microsoft.com/en-us/Windows-Vista/system-restore-frequently-asked-questions

    Windows Live Photo Gallery 2011
    http://explore.live.com/Windows-Live-Photo-Gallery?OS=other

    Apple QuickTime
    http://www.Apple.com/QuickTime/Download/

    My camera takes the QuickTime video. How can I see them
    files in the Windows Vista Photo Gallery?
    http://blogs.msdn.com/b/PIX/archive/2007/06/05/FAQ.aspx

    Also... the free Picasa software may be worth a try:
    (Personally, I like better than WLPG)

    (FWIW... it's always a good idea to create a system)
    Restore point before installing software or updates)

    Picasa
    http://Picasa.Google.com/

    Organize your digital photos with Picasa
    http://Lifehacker.com/#! 267024/organize-your-digital-photos-with-Picasa

    To book your QuickTime. MOV files more universally
    compatible, you can try converting them to the. WMV
    format.

    There are many programs that can do conversions...
    The following freeware is an example...:

    (FWIW... it's always a good idea to create a system)
    Restore point before installing software or updates)

    Format Factory
    http://www.videohelp.com/tools/Format_Factory
    (the 'direct link' is faster)
    (the file you want to download is: > FFSetup260.zip<>
    (FWIW... installation..., you can uncheck
    ('all' boxes on the last screen)

    First, you will need to decompress the file or just open the
    Drag FFSetup260.exe out of the folder
    and drop it on your desktop. To install left click.

    Next, after the download and installation of Format
    Factory... you can open the program and
    left click on the toolbar, the "Option" button and
    "Select an output folder to" / apply / OK.
    (this is where you find your files after they)
    are converted)

    Drag and drop your video clips on the main screen...

    Select "all to WMV" / OK...

    Click on... Beginning... in the toolbar...

    That should do it...

    Good luck...

    Volunteer - MS - MVP - Digital Media Experience J - Notice_This is not tech support_I'm volunteer - Solutions that work for me may not work for you - * proceed at your own risk *.

  • IDS with Ganymede

    Are IDS 4215 compatable sensors with Ganymede? I see nothing in the csm, guides the user ID itself which would lead me to believe it was, but I wanted to just make sure with the group.

    Thank you.

    IDS/IPS from now devices do not support external authentication using AAA servers. The only way that users can be authenticated so is using the local database on the IDS/IPS device.

    I hope this helps.

    Kind regards

    Maryse.

  • AS with GANYMEDE + question

    Try to get the module ACE and IOS devices to work with GANYMEDE. I have GBA v3.2.

    The "optional" syntax does not work. No idea if the argument is valid for the version of the CSA?

    Service = exec

    Optional shell: Admin = domain Admin

    I tried it with quotes, but which didn't work either.

    Hello

    This is a doc of reference for the configuration of the ACE for authentication Ganymede +,.

    http://www.Cisco.com/en/us/docs/interfaces_modules/services_modules/ACE/v3.0

    0_A1/configuration/Security/Guide/AAA.html#wp1321891

    Under the custom for attribute Ganymede + we need to specify the attribute in the form,

    Shell: Admin * ADMIN MYDOMAIN1

    = means mandatory attribute

    * Optional means

    Information on the context/role/domain (virtualization on ACE):

    http://www.Cisco.com/en/us/docs/interfaces_modules/services_modules/ACE/v3.0

    0_A1/configuration/virtualization/guide/ovrview.html

    Default 'role' on ACE:

    http://www.Cisco.com/en/us/docs/interfaces_modules/services_modules/ACE/v3.0

    0_A1/configuration/virtualization/guide/ovrview.html#wp1051297

    HTH

    JK

    Please evaluate the useful messages-

  • Change the maximum number of ports on Nexus 1000v vDS online with no distribution?

    Hello

    Change the maximum number of ports on Nexus 1000v vDS online with no distribution?


    I'm sure that's what the link

    VMware KB: Increase in the maximum number of vNetwork Distributed Switch (vDS) ports in vSphere 4.x

    not to say that

    I have 5.1 ESXi and vcenter

    Thank you
    Saami

    There is no downtime when you change quantity "vmware max-ports" a port profile. It can be done during production.

    You can also create a new profile of port with a test of the virtual machine and change the "vmware max-ports' If you want warm and ferrets.

  • I have the order number and the date of the order with me want to support adobe creative cloud can advise you how to go to this topic

    I have the order number and the date of the order with me want to down load remains creative cloud on my desk pls can you advise me how to on this subject pls

    Cloud creation help / Creative Cloud to desktop

    https://helpx.Adobe.com/creative-cloud/help/creative-cloud-desktop.html

    Cloud creation help / sign out, sign in | Creative office cloud app

    http://helpx.Adobe.com/creative-cloud/KB/sign-in-out-creative-cloud-desktop-app.html

    Cloud creation help / install, update or uninstall applications

    http://helpx.Adobe.com/creative-cloud/help/install-apps.html

    Install creative Cloud applications

    http://TV.Adobe.com/watch/CS6-creative-cloud-feature-tour-for-video/installing-desktop-app s-of-creative-cloud.

  • I am unable to connect with GANYMEDE + connection after the addition of aaa authorization network command

    Hello

    I test an aaa authentication switch when it does not communicate to ISE, and I found a strange behaviour. After that I added the aaa accounting and authorization authentication controls and reloaded the switch I was not able to connect to the switch with the GANYMEDE login

    The switch continued in cycles showing the banner give 3 times authentication failure message and then the cycle begins with the failed, banner and sign message

    I removed the aaa authorization network command and I reloaded the switch and I was able to connect successfully.

    could someone help me with this problem.

    Hi Nitesh-

    This command (... aaa authorization network) has nothing to do with the admin authorization on the n basis (in this case, the switch). This command applies to the network connections such as PPP, SLIP, etc.

    In addition, aaa authorization can be performed by Ray and not only GANYMEDE +. RADIUS is not too powerful and you can provide authorization command sets but you can always return roles and different levels of privilege.

    Have you tested the above configuration syntax? I did and it works as expected!

    Thank you for evaluating useful messages!

  • Offering personalized with GANYMEDE + (ACS 5.4) - NX - OS RBAC limited access

    Hello

    I created the RBAC personalized depending on NX - OS.

    Role: Limited_Admin

    11 denies config t command. mgmt interface 0

    10 permit command read

    9 permit config t command. interface *; *

    8 allow the copy running-config startup-config command

    7 permits ping command *.

    6 allow the traceroute command *.

    I created a profile Shell with the following attributes that place the user in the role of Limited_Admin and that mapped to the rule of authorization policy.

    Cicso-av-pair attribute

    Mandatory requirement

    Shell: roles of value = "Limited_Admin".

    When I connect with the Test account - I get mapped to the custom role as shown below but I have priv 15.

    user: testrbac

    roles: Limited_Admin

    account created through the REMOTE authentication

    Credentials such as ssh server key will be cached only temporarily for this user account

    Local login is not possible

    Any help is greatly appreciated. I had this working perfectly on the 4.2. but unable to make the rules work at 5.4.

    Configuration of the AAA Nexus:

    radius-server key *.

    source-interface IP Ganymede mgmt0

    RADIUS-server host x.x.x.x

    AAA group Ganymede Server + ACS SERVERS

    Server x.x.x.x

    the vrf use management

    AAA group Ganymede Server + ACS SERVERS

    AAA authentication login default group ACS-SERVERS

    AAA authentication local console connection

    Default accounting AAA group ACS-SERVERS

    AAA authentication login error-enable

    I saw it and that's what I wanted to see and use it as a syntax/format on nx under role

    ike this

    Role: Limited_Admin

    11      deny    command                         configure terminal ; interface mgmt0

    However I think you tried and confirmed that it didn't ' work so I started to think it might be a bug in the Os. Glad it works for you.

    Jousset
    * Note help messages *.

    Sent by Cisco Support technique Android app

  • authorization for AAA and GANYMEDE unavailable server scenario

    I installed a PIX for users authentication for telnet and enable access. I have permission to install a subset of users can run only display orders. This set works as expected.

    The problem is when I simulate and network failure and try to get access the PIX console. I can't run the enable command because the command shall not be permitted. I have to use means of recovery of password to access the PIX. How to do this? Can I have permission to order processed locally? Can I associated with the command show a lower level of the priveledge? If so, how and how can I limit the user to this level of privilege (via GANYMEDE)? I confiscate doing?

    Thank you

    If the PIX is configured for GANYMEDE authentiaction and RADIUS server is unavailable for authentication, there is no way to rescue or get around this issue at this time.

    You can configure the pix to get back to local authentication if Ganymede is not available.

    Release then (I think 6.3 and above) who will be available.

  • Router with GANYMEDE locked out

    Hello

    I made a rookie mistake today and set up one of our routers to use the following configuration:

    aaa authentication login default group tacacs+ enable
    aaa authentication enable default group tacacs+ enable
    aaa authorization console
    aaa authorization exec default local group tacacs+ if-authenticated
    aaa authorization commands 1 default group tacacs+ if-authenticated
    aaa authorization commands 15 default group tacacs+ if-authenticated 
    We use RADIUS for authentication - and GANYMEDE for authorization, so needless to say I'm stuck on the router. I wonder if the only way to get past it's password reset the router, or if there is a way for me to reconfigure my RADIUS/RADIUS server to allow access to this device with this configuration. Thank you

    Since you 'enable' as the fallback method, simply maket GANYMEDE + server unavailable to this router (null road somewhere upstream, ACL, etc.) and then the router should allow you to connect by using the password to enable instead of the name of user and password.

    Note: I assume that the default authentication applies to the console or VTY lines, but I can't say if that will be the case the complete configuration was not displayed.

  • 4.2 ACS profiles with Ganymede?

    Hello

    I use 4.2 ACS (device) with network access profiles. It's a very big problem that profiles only support the radius Protocol, I need to use the Protocol Ganymede with profiles. I need Ganymede for permission command. Is it possible to have such a regulation on ACS 4.2:

    -If the logging of NetworkDeviceGroup1 using RADIUS uses local authentication

    -If the logging of NetworkDeviceGroup2 using Ganymede use RSA securID (external Radius Authentication).

    Best regards

    Hello

    GBA 4.X NAP works only with the RADIUS.

    -If you want you can go to ACS 5.X, which is more flexible.

    run the IT role-based authentication / authorization and you can combine roles you need to be more flexible.

    Please visit the sites:

    1) http://www.youtube.com/watch?v=Xin98O-Q4JY

    2) http://www.youtube.com/watch?v=vOxcrEU_-Gw&feature=related

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/access_policies.html

    Kind regards

    Talal

    ==

    Remember responses of the rate that you find useful

    Please note the answers that you find useful and mark as answer - when is it :-) - so that others can easily find

  • Total connection time how to account with GANYMEDE.

    Hi, we have the following scenario, this company uses two methods for remote access (for employees only): through RAS connections, or by using VPN clients to connect to a 535 PIX over the Internet. We need to do accounting for the total connection time, in the case of RAS connections is easy, we run AAA GANYMEDE + between the RA and the ACS (ver 2.1) and check the start/end time. But with the Internet connection start/stop time reflects the total time for each connection by user i.e. telnet, snmp, ftp, etc. but what connections can be simultaneous (or not), so we can not just add every time total of connections to a single user, it could be greater than the actual time that this user has been really connected. So how could account us for in this case total connection time?

    Thanks in advance for your recommendations

    Unfortunately you don't have. Accounting for users in the PIX VPN is on the Board to design for some time now, but so far has not been implemented. You can check the status on bug ID CSCdu01327 for other updates.

  • HP Photosmart 7460 now prints pages in reverse order with white sheets between the two.

    I have a HP Photosmart 7460.  Printing slowed to a crawl so I deleted the old driver and installed a new.  Now, it prints pages in reverse order.  All necessary pages are printed successfully, but every other page is a blank sheet.  The first produced sheet is empty.  I don't see any change in my printer preferences.

    Blank pages occur with a pages document multiple and single page ones.  The sequence in the disorder occurs on the document of several pages.

    I'm working on the uninstall.  Will continue in the AM.

Maybe you are looking for