RADIUS and GANYMEDE + authentication
We authenticate our systems through dot1x. I also need to be able to authenticate our Cisco admins using the same ACS server. I see how to configure a switch to make the two GANYMEDE + and RADIUS, but I do not see how implement GBA to allow a switch to use GANYMEDE + and RADIUS.
Can someone give me a pointer?
Thank you
You need to put in place once the authentication on the switch.
AAA authentication login default group local Ganymede
Group AAA dot1x default authentication RADIUS
AAA authorization exec default group Ganymede + authenticated if
Group AAA authorization network default RADIUS
Cisco RADIUS-server host 2.2.2.2 keys
Cisco GANYMEDE-server host 2.2.2.2 keys
The GBA, you must add the switch twice.
ACS---> network configuration---> add aaa-clinet
Host name switch1
IP: 3.3.3.3
With the help of authentic: RADIUS IETF
Add another switch
SWITCH2 host name
IP: 3.3.3.3
With the help of authentic: Ganymede +.
Kind regards
~ JG
Note the useful messages
Tags: Cisco Security
Similar Questions
-
RADIUS and Ganymede + running simultaneously?
I have a Secure ACS 5.3.40 running GANYMEDE + and I need to also run 802.1 x radius to meet DISA requirements, I've been working on it for a week. I am unable to get the characteristics of work, all AD connections are already there for GANYMEDE + and so I'm not sure how config, Ray can someone help with the procedures.
Hello
in the configuration of the aaa you must specify the two authentication 802. 1 x that points to the RADIUS and peripheral administration of Ganymede.
Configuration of the network device ACS apply both radius and Ganymede keys.
There will be no conflict for the same as the two have different sets of commands.
Thank you
Please rate if useful...
-
Can I use an ACS as RADIUS and GANYMEDE to the same ASA Server?
I want to GANYMEDE to make the accounting of the SAA, meanwhile, the ASA need RADIUS for authentication ssl vpn. Is it possible to reach this object with only a CSA?
Yes, you can use both. Allows you to add ASA as radius and Ganymede.
ACS-->---> aaa-client network configuration
(1) ASA---> 1.1.1.1---> authentic using Ganymede
(2) ASA1---> 1.1.1.1---> optout by radius
Don't forget the host name cannot be the same.
Kind regards
~ JG
Note the useful messages
-
same host for radius and Ganymede
Hello
can I put a host (asa for example) twice in the acs Server? one for Ganymede to grant administrators access exec and the other for radius authenticate remote users.
I don't want remote users to be able to get exec mode.
Or how should I configure this?
Yes, you can do it. Network configuration ON acs
Add
ASA---> 10.1.1.1---> Auth using Ganymede +.
ASA1--> 10.1.1.1---> Auth using RADIUS
Host name cannot be the same.
Kind regards
~ JG
Note the useful messages
-
Hello
So far I've managed my switches with GANYMEDE +, but now I have deploy 802. 1 X, requiring RADIUS only.
For all I know, ACS (I use 4.2) allows you to set a device using only GANYMEDE or RADIUS, but not both.
Am not mistaken? Or there is a way to define an AAA client to communicate with the ACS even using two protocols?
Assuming I'm right, I then considered the following options:
-Configure all switches to use radius for any service (authentication, authorization ec etc.) this makes it easier, but I lose the GANYMEDE services + for switches. What a big loss?
OR
-Configure L3 switches to use a second closure, just for the RADIUS services. It would always use the GANYMEDE + but would require a new network for the service RADIUS; In addition, switches L2 does not support both IP addresses and would require anyway a migration to the RADIUS.
A considerable administrative burden, in other words.
I'm not ready to deploy a second RAY (ACS, Windows, whatever), right now.
The key point is this: reading autour I see documentation Cisco recommends always using GANYMEDE + for management, but in this case is not possible. In general, whenever the unit has a role of network entry (switch or access point) RAY seems to be the Protocol of choice. Moving to the RADIUS would have some drawback or a change in the communication protocol? (I know the difference between GANYMEDE + and RADIUS: tcp, udp vs, vs whole package of only the password encryption encryption).
Thanks anticipately
C
Hello Carlo,.
You can keep using GANYMEDE + for device management and RADIUS to 802. 1 x, with no need for an additional IPN focuses on additional servers or IP on each managed device.
4.2 ACS allows allows you to set two AAA Clients with the same IP address, one for GANYMEDE + and for RADIUS, however, the host name must be unique.
Then, on the switch, you can define the same ACS server as a server radius and Ganymede-server host, configure the controls of "aaa" to connect to the console and pointing to the GANYMEDE server authorization + and part dot1x pointing to the RADIUS server.
What you're looking for is feasible and it is normal to use GANYMEDE + for device management and RADIUS for 802. 1 x.
I hope that answers your questions.
Kind regards
Federico
--
If this answers your question please mark the question as "answered" and write it down, so other users can easily find it.
-
MS RADIUS and Cisco VPN client
We currently have with a Server Windows RAS and IAS authentication with PPTP to users.
I want to move a hub (we have two not used) and the use of the Cisco VPN client with IPSEC 3005, also using the RADIUS (IAS) in Windows to authenticate against Active Directory.
I have a config to work for the client and it performs authentication, but I'm afraid that you can't configure IAS to work with IPSEC, unless you configure the policy for
"Unencrypted authentication (PAP, SPAP).
on the Authentication tab
and
"No encryption".
on the encryption tab.
Are encrypted with IPSEC credentials to establish the tunnel of the Cisco VPN client?
For RADIUS PAP authentication, the user name is clear and the password is encrypted with the RADIUS shared secret.
To maximize security, you would use GANYMEDE + or IPSec transport mode and isolated VLAN. But for most of us, strong passwords and physical security prevents the RADIUS PAP to a significant weakness.
-
Failure of GBA 4.2 GANYMEDE + authentic. Incompatibility of keys
I have configured 10 switches(C3750-ADVIPSERVICESK9-M) of layer 2, Version 12.2 (40) SE), use GANYMEDE +. They are all using the same key and work correctly. I went to another switch 3750 located through a point-to-point circuit, software C3750 Cisco (C3750-IPBASEK9-M), Version 12.2 (35) SE5. I entered the configuration routine and then entered the key and tried to connect as a user and get authentication failed. I checked the server and see key discrepancies in the reports and activity, the attempt failed. I've removed the key, copied and pasted from Notepad, still does not work. Removed the switch in the network device group ACS and then re - he added, stuck a new key, without special characters. No go.
Here is the config.
AAA new-model
!
!
AAA of default login authentication group Ganymede + activate
local NO_AAA AAA authentication login
the AAA authentication enable default group Ganymede + activate
AAA authorization exec default group Ganymede + authenticated ifGanymede IP source interface FastEthernet0/0
GANYMEDE-server host 10.1.1.1
RADIUS-server key 0 itspassword
RADIUS-server application madeInitially, the password is encrypted, so I changed it to erase the text by typing the password without the 0 and with 0. None worked. Also removed encryption service to see if that would do anything.
I usually have SSH for router, so I changed it to accept telent. That did not work. Changed SSH, reset the rsa keys and modified so that it uses SSH2, which did not work.
Here's what I get from newspapers
August 12 at 11:43:24: TAC +: send worm package AUTHENTIC/START = 192 id = 97563278
August 12 at 11:43:24: TAC +: using Ganymede server-group "Ganymede +" list by default.
August 12 at 11:43:24: TAC +: opening TCP/IP 10.1.1.1/49 Timeout = 5
August 12 at 11:43:24: TAC +: handle opened TCP/IP 0x3663CA0 to 10.219.1.1/49 using the 10.2.2.254 source
August 12 at 11:43:24: TAC +: 10.1.1.1 (97563278) AUTHENTIC/START/CONNECTION/ASCII queued
August 12 at 11:43:25: TAC +: (97563278) AUTHENTIC/START/CONNECTION/ASCII processed
August 12 at 11:43:25: TAC +: received bad AUTHENTIC package: length = 6, should 80467
August 12 at 11:43:25: TAC +: invalid package AUTHENTIC/START/CONNECTION/ASCII (control keys).
August 12 at 11:43:25: TAC +: connection TCP/IP closing 0x3663CA0 to 10.1.1.1/49
August 12 at 11:43:25: TAC +: using Ganymede server-group "Ganymede +" list by default.
August 12 at 11:43:37: TAC +: send worm package AUTHENTIC/START = 192 id = 1015854339
August 12 at 11:43:37: TAC +: using Ganymede server-group "Ganymede +" list by default.
August 12 at 11:43:37: TAC +: opening TCP/IP 10.1.1.1/49 Timeout = 5
August 12 at 11:43:37: TAC +: handle opened TCP/IP 0x366AF24 to 10.1.1.1/49 using the 10.2.2.254 source
August 12 at 11:43:37: TAC +: 10.1.1.1 (1015854339) AUTHENTIC/START/CONNECTION/ASCII queued
August 12 at 11:43:38: TAC +: (1015854339) AUTHENTIC/START/CONNECTION/ASCII processed
August 12 at 11:43:38: TAC +: received bad AUTHENTIC package: length = 6, should 79092
August 12 at 11:43:38: TAC +: invalid package AUTHENTIC/START/CONNECTION/ASCII (control keys).
August 12 at 11:43:38: TAC +: connection TCP/IP closing 0x366AF24 to 10.1.1.1/49
August 12 at 11:43:38: TAC +: using Ganymede server-group "Ganymede +" list by default.I watched autour forum for about 4 hours, try all other options that were given to other people with a similar problem. The last key, in that I put has 123456. You can not fat finger that is. Switch journal said check the key, the firewall is configured to allow all traffic from the AAA client.
Hi green2003 mg,.
The substitution of key group (the NDG where your switch belongs to) the button. Have you checked that one?
Greetz,
Julia
-
WAAS for RADIUS and Windows Server 2012 NPS server configuration
I have trouble getting our WAAS to authenticate devices and connection via RADIUS. Running NPS on Windows Server 2012. Confirmed that my device WAAS can ping the IP address of the RADIUS server. Using the attribute Type of administrative service under network policies. Look in the event viewer, I get an error with event ID 15, "a malformed RADIUS message has been received of the xxxx-WAAS-01 customer. The data is the RADIUS message. »
Right now, I can connect with only the local default user and password name. Here are a few config for WAAS, running version 6.2.1:
RADIUS server key *.
Server RADIUS auth-host 10.194.10.13 port 1645
!
connection of local authentication enable secondary
enable login authentication RADIUS primary
local authentication configuration enable secondary
Service radius Authentication configuration Select primary
failover of authentication server unavailableI confirmed that my shared key is entered correctly on the WAAS and the NPS. I have the switches/routers Cisco works well on the same RADIUS server.
Someone had a bit of luck plug their WAAS to RADIUS devices using Windows Server 2012 and NPS? If so, please share additional measures you have taken to get things to work.
Hi Paul,.
Based on the RADIUS error you probably experience failure CSCva14731. This was discovered with Cisco ACS, but can affect other RADIUS servers.
To confirm, you can check the corresponding error in syslog WAAS:
authenticate: % WAAS-UNKNOWN-3-899999: pam_radius_auth: talk_radius:
Also, this defect would not affect peripheral on software 5.x WAAS.
The problem will be solved in 6.2.3 to come free.
-
GANYMEDE + authentication errors
I have problems to GANYMEDE + AAA working with my 3560 switches. I set up users, groups, and NDG on ACS SE, as per GBA CS course material and triple checked my keys to make sure they match. I have attached the debugging switch of authentication, authorization, and Ganymede. Can someone please tell me what I'm doing wrong?
Oh, if its SE which is not working.
To do this, ACS---> configuration network ===> table Proxy Dis---> click default ===> if you see delivenrance 1 to the aaa Server---> drag it to 'Prior to'---> and what is there under forward to---> Drag it server aaa--> submit + apply.
It should work now.
If you do not see distribution proxy option then go to GBA--->---> advanced option interface configuration---> enable the distributed array.
Kind regards
~ JG
-
Hi all
I want to download a free, yet reliable servers AAA and GANYMEDE , can you guide me? Also, I need help with their configuration for study purpose.
Both of them are GANYMEDE, do you also need RADIUS (your post says AAA)? Assuming you just need GANYMEDE:
Probably the best known is:
http://www.shrubbery.NET/tac_plus/
Also, the go RANCID.
For a solution based on Windows you can also consult:
If cela messages answers your question or is useful, please consider rating it and/or mark as answered.
-
GANYMEDE + authentication on Juniper screen OS using ACS 5.3
GANYMEDE authentication and authorization passed on ACS5.3, but enter username and password security (Juniper SSG5) gives access denied, joined Ganymede cfg.
the value id GANYMEDE + auth-server 1
Set-server GANYMEDE + 10.10.xx.yy server name
put server GANYMEDE +-type of admin account
Set-server GANYMEDE + type Ganymede
Set-server GANYMEDE + secret Ganymede xxxx
the value auth-server GANYMEDE + Ganymede port 49
the admin server GANYMEDE value +.
Set admin auth distance primary
Remote admin auth root set
Set admin privilege get set external auth-server GANYMEDE + id 1
Set-server GANYMEDE + 10.10.xx.yy server name
put server GANYMEDE +-type of admin account
Set-server GANYMEDE + type Ganymede
Set-server GANYMEDE + secret Ganymede xxxx
the value auth-server GANYMEDE + Ganymede port 49
the admin server GANYMEDE value +.
Set admin auth distance primary
Remote admin auth root set
define outer-get administrator privilegesPlease advice
I guess you posted a screenshot. I'm looking forward to having the file can be downloaded for analysis.
~ BR
Jatin kone* Does the rate of useful messages *.
-
PIX by RADIUS and access user-list
Anyone knows if with Microsoft (IAS - RADIUS service) Internet Authentication Service
It is possible to use download the access list for the PIX (access by user list) firewall and how do I configure IAS for this feature.
Thanks in advance.
Yes, it is possible. Take a look at this link which explains how I could make it work:
http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_62/config/mngacl.htm#33910
I don't remember all the steps I took to get the ISA server computer to return the string VSA CISCO specific (attribute 26), but you should be able to understand. I am, in any case, an expert of the IAS.
I hope this helps.
Scott
-
ASA auth-proxy Radius and downloadable ACLs
Hello
I want to have ACLs that decide what traffic to allow after authorization auth-proxy.
1. What are the options I have to ASA + ACS?
2. can I use auth-proxy on SAA with the CSA and download RADIUS and ACLs?
3. can I use auth-proxy on SAA with the ACS and Ray 01/09/00-cisco-av-pair (will be ASA understeand it?)
4. can I use auth-proxy on ASA attrbuts auth-proxy ACS and Ganymede (with ACLs)?
Thanx
Hello
Take a look at this guide to see if that helps answer your question. You can use the downloadable ACLs or the cisco av pair, I saw that the cisco-av-pair method works a little better because he has the user name who logged in as part of the acl which facilitates troubleshooting.
http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/access_fwaaa.html#wp1150820
Thank you
Tarik Admani
-
Cisco ACS 5.3 - attributes Radius, and "Administration/Shell device profiles.
Can someone help me with that?
Under ' profiles policy elements/authorization and permission to access/permissions/network "I defined a profile and the following attribute:
Attribute = F5-LTM-user-role
Type = unsigned integer 32
Value = 300.My question is:
How can I set the same as above using "Administration/Shell device profiles?There is a custom attributes tab, but I can't understand how to specify the field 'Type '. (On the custom attributes tab is there room for 2 fields and not 3 fields).
Hello
Just for my understanding you try using radius or Ganymede?
Profiles of the shell are used for Ganymede and authorization profiles are used for RADIUS.
Thank you
Tarik
-
Why my phone was telling me my copy of windows and not authentic after two years?
I tried a system restore but it did not helpHello
- Windows you receive not genuine error?
- Did you do any software or hardware changes on your computer before the show?
Follow the below mentioned article:Genuine Windows: Frequently asked questions:
http://Windows.Microsoft.com/en-us/Windows/help/genuine/FAQ
Maybe you are looking for
-
XP, black screen with the msg of boot errorm insert disc drive system & hit enter, does that mean?
When you feed on my PC I get a black screen with the "Boot disk error msg; "Medallion system disk & press enter" what does that mean? I don't have the original CD or a recovery disk, what can we do?
-
How to install the update on vista 32 bit fax drivers
I downloaded a driver of bridge e for fax Toshiba Studio3500c to connect it with my laptop Toshiba Satellite Pro L300 and unzipped the box but their doesn't seem to be any key of the option to install it. Does anyone know how these 20 files can be do
-
Problems after the automatic update from Microsoft Outlook
A about having Microsoft automatic update, Outlook on Vista has stopped working properly. I can open the program, write an e-mail or two and may be able to send a mail, then the program freezes. It happened just after a update to day to day. How can
-
Consume BSSV Https with developer J
Dear all,I need your help in my problem with a custom BSSV I created in the steps outlined in the document http://www.oracle.com/technetwork/topics/jde-bssv-database-business-service-131800.pdfAfter the BSSV deployed by a package to the web logic 10.
-
CC 2015 update problem error U43MID204 on photoshop and bridge
How to cure the problem of update with the CC from Adobe photoshop and bridge have successful installation error but a patch doesn't have a Code U43M1D204