Riverbed GANYMEDE
How to configure ACS 5.3 to authenticate the Riverbed Steelhead?
Hello Santosh,
You must configure the attribute "local-user-name" with the value "admin" on the profile of the shell and he attributed his reign of access policy "default device admin". Here is a screenshot of the screen configuration attribute:
Jatin kone
-Does the rate of useful messages-
the attribute "local-user-name" with the value "admin" on the Shell Profile and assigned it to his Access Policy rule.
Tags: Cisco Security
Similar Questions
-
Total connection time how to account with GANYMEDE.
Hi, we have the following scenario, this company uses two methods for remote access (for employees only): through RAS connections, or by using VPN clients to connect to a 535 PIX over the Internet. We need to do accounting for the total connection time, in the case of RAS connections is easy, we run AAA GANYMEDE + between the RA and the ACS (ver 2.1) and check the start/end time. But with the Internet connection start/stop time reflects the total time for each connection by user i.e. telnet, snmp, ftp, etc. but what connections can be simultaneous (or not), so we can not just add every time total of connections to a single user, it could be greater than the actual time that this user has been really connected. So how could account us for in this case total connection time?
Thanks in advance for your recommendations
Unfortunately you don't have. Accounting for users in the PIX VPN is on the Board to design for some time now, but so far has not been implemented. You can check the status on bug ID CSCdu01327 for other updates.
-
GANYMEDE + with 3560 cisco switch configuration issue
Hi Forum,
Here's my setup GANYMEDE + on my cisco 3560 switch and my question is, how can I configure the switch, if I would not type enable after I put the user name and password? with configs below, users will need to type activate whenever they connect to the switch in order to enter the user exec mode. Please let me know if there is something missing in my configs to help me avoid typing 'enable '.
Thanks in advance,
MacBookAir: ~ MacBook$ ssh [email protected]/ * /.
Password:
Switch > en
Switch #show run | include the aaa
AAA new-model
AAA server Ganymede group + mpcc
AAA authentication login default group Ganymede + local
activate the default AAA authentication no
AAA authorization exec default group Ganymede + authenticated if
AAA authorization commands 1 default group Ganymede + authenticated if
AAA authorization commands 15 default group Ganymede + authenticated if
start-stop radius group AAA accounting dot1x default
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 1 by default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
AAA accounting system default start-stop Ganymede group.
AAA server RADIUS Dynamics-author
AAA - the id of the joint session
Switch #.
Hello
Add the level of privilege 15 control VTY line configuration.
line vty 0 4 [..] privilege level 15 !
Concerning
-
I'm migration of ACS to LSE for GANYMEDE. GBA, we used device filters to define a list of network devices and allows you to create rules to match or does not within access policies. I may not know how to do the same function in ISE.
Yo can do this by selecting "network access: device IP address.
Hope it meets your request.
Concerning
Gagan
PS: note as correct if it helps!
-
We have added a new server running 5.2 and from 3.3 RADIUS.
I lose router access when you remove the old server IP info and orders AAA? The router is out of State and do not want to lose the access while making these changes.
Example of config:
Ganymede old router config:
AAA new-model
AAA authentication login default group Ganymede + local
AAA authentication login console_line local
authorization AAA console
AAA authorization config-commands
AAA authorization exec default group Ganymede + authenticated if
AAA authorization commands 0 default group Ganymede + local
AAA authorization commands 1 default group Ganymede + local
AAA authorization commands 15 default group Ganymede + local
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
!
AAA - the id of the joint session
Ganymede IP source-interface Loopback0
radius-server host 10.1.1.31
radius-server host 10.2.1.9
RADIUS-server application made
RADIUS-server key 7 0835185A5C1053051D080717
New configuration of router Ganymede (currently)
AAA new-model
!
!
AAA server Ganymede group + TTI_ACS_GROUP
Server 10.1.1.253
Server 10.1.1.252
Ganymede IP source-interface GigabitEthernet0/0
!
Group AAA authentication login TTI_ACS_GROUP default
the AAA authentication enable default group TTI_ACS_GROUP
Group default AAA authorization exec if authenticated TTI_ACS_GROUP
!
Ganymede IP source-interface Loopback0
radius-server host 10.1.1.253
radius-server host 10.1.1.252
RADIUS-server application made
RADIUS-server t4t5i6rocks key
Thank you!
-Nick C.
We have improved some time ago to ACS 4.2 to 5.3, I kept the router config to pretty much the same, and had a key to the Ganymede even server for all, so just added new hosts of Ganymede in the existing configuration server and then off the old server, everything was good.
don't forget if you are worried about losing the connection and then the "reload in 005" is always good to do before making any changes so if you do a config that is not loved and you lose the connection that the router will reload and as not saved config arrived with working config. "."
-
Cisco ISE with GANYMEDE + and RADIUS both?
Hello
I'm wired opening of authentication on a network using Cisco ISE. I studied the conditions for this. I know that I need to enable the RADIUS on the Cisco switches on the network. The switches in the network are already programmed to GANYMEDE +. Anyone know if they can both operate on the same network at the same time?
Bob
I suppose that Ganymede is configured (with ACS 4.x or 5.x) for the peripheral administration via telnet/ssh, and now you need the RADIUS (radius) to authenticate 802. 1 x. Yes they can both work on the same network at the same time.
~ BR
Jatin kone* Does the rate of useful messages *.
-
Hello
This is the configuration for GANYMEDE but is not authentication works.
AAA new-model
!
!
connection of AAA 5 authentication attempts
enable AAA authentication login default group Ganymede + local line
the AAA authentication enable default group Ganymede + activate
AAA authorization exec default group Ganymede + local
AAA authorization commands 1 default group Ganymede + local
AAA authorization commands by default 15 group Ganymede +.
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 1 by default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
radius-server host 14.24.6.8
radius-server host 17.24.66.1
RADIUS-server timeout 1
RADIUS-server application made
The problem must be resolved
Advanced thanks.
Concerning
Dhananjay.M
Number of things before hit us part of troubleshooting:
1.] RADIUS-server timeout 1 ->> is a time interval for when waiting for server for the AAA client to respond. 1 sec is too aggressive, don't know what that allows you to configure this prompted. Pleasee defined only at least 5 seconds.
2.] you have configured the shared secret on the AAA client?
Run debugs it on the switch/router, try to connect with Ganymede credetials and paste the o/p here.
debugging Ganymede
Debug aaa authentication
~ BR
Jatin kone* Does the rate of useful messages *.
-
Hello
Anyone know when ISE version 2.0 came and Ganymede will be supported?
Thank you in advance.
Joana.
ISE will support most of the GANYMEDE + v1.5 features. This version is scheduled for November 2015.
Please rate useful messages and mark this question as answered if, in fact, does that answer your question. Otherwise, feel free to post additional questions.
Charles Moreton
-
Department of foreign for GANYMEDE + via ISE - is RSA Secure ID the only option?
I'm running Cisco Secure ACS to GANYMEDE and other things. I have to move to another platform due to the requirements of PCI DSS 3.2.
ISE is the head to replace ACS but I also have a requirement to implement a multifactor authentication (MFA) everywhere.
2.1 ISE implementation guide says that RSA Secure ID is supported for the Ministry of Foreign Affairs with the GANYMEDE connections. I did not have RSA Secure ID and probably never have it.
The implementation guide and my provider Cisco also make the State more general that ISE will work with any solution of Ministry of Foreign Affairs which has a front end compliant RADIUS. Well, it's because I already have one of these (SafeNet/SafeWord). What they are not, is if it will work specifically to authenticate the RADIUS authentications. The only docs I can find on this subject are all/only on ISE do this for the RADIUS clients such as ASA Cisco Anyconnect VPN client handling.
Someone at - he obtained ISE GANYMEDE to work with the Ministry of Foreign Affairs with anything other than Secure ID? You have any links?
Click on your name in the upper right to see your profile. Then choose the 'Message' tab and click 'New Message'.
-
GANYMEDE + and local access connection
Basic summary is that I want to have GANYMEDE + and local connection to access router on the vty lines. So, I did the two groups below. Goody obviously is what will use GANYMEDE and Console uses the local connections. I divide them between 0-4 and 5-15. It seems that whoever is more get first priority for authentication. If I move the Console to 0-4, knit then the local users and GANYMEDE do not. If I have Goody at 0-4, then GANYMEDE works, but local doesn't work. I know I'm missing something simple. Have two RADIUS servers, I doubt that the two will never back down, but in case I want user names Local to work. If I apply an access list to 4-0 and use SSH, as well as a list of different access to 5 15 and use telnet, it seems to work that way but doesn't help me if the internet goes down and I am trying to access the router via SSH on-site.
Thanks in advance.
David
AAA authentication login Goody group Ganymede + local
local authentication AAA Console connectionLine con 0
the Console connection authentication
line to 0
line vty 0 4
session-timeout 7
exec-timeout 5 0
authentication of connection Goody
entry ssh transport
line vty 5 15
session-timeout 7
exec-timeout 5 0
the Console connection authentication
entry ssh transportHi David -.
Correct me if I'm not understanding this correctly, but you want to use RADIUS servers for authentication ssh/console type and if they fail, you want the network device to use its local database.
If that is correct you should not need dividing lines and assign authentication lists. The first tribute that you have:
AAA authentication login Goody group Ganymede + local
Lists the Ganymede + and the local database as a possible authentication methods. They will be processed in the order they are configured so that the device will be:
1. use your servers GANYMEDE +.
2. If the GANYMEDE servers + inaccessible then the local database is used
You can test this by assigning 'Goody' to all your vty lines and then do your servers GANYMEDE + unavailable. To do as possible you can:
-Restart the server
-Stop the server interface
-Disconnect the device its uplink network
-Create a list of access on the uplink interface and connection block to the IP addresses of the servers GANYMEDE +.
I hope that helps!
Thank you for evaluating useful messages!
-
Hi all
It's my script, Switch--FirstIntPair--PIXInside--PIXOutside--SecondIntPair--Hub--Internetrouter.
I have two pairs of interface (please don't ask me why). A conflict between switch and pix inside interface and another between pix outside and the internet router.
Now, when I'm doing telnet to my internet router (I had GANYMEDE) it does not. Now if I use a local user name password it connects. Study further I discovered on GANYMEDE debugging I see Ganymede packages are getting expired. Now when I did an inspection of derivation on my IPS everything works fine. When I activate the inspection again, it stops working. There is no event log for this all no signature of shooting up nothing. Can someone tell me whats going on. Any help much appreciated.
-Hoogen
What version of IPS software are you running?
I'm not very well informed on GANYMEDE.
If it uses a TCP connection, the following information may help.
If you're running 5.1, then the normalizer can be denied packets if the GANYMEDE packages must go through two pairs of interface.
The normalizer confused when the same packet is seen twice, especially when a firewall can be modify the package. The normalizer can get confused trying to follow the tcp sequence numbers.
We do not recommend surveillance 2 pairs of interface in 5.1 if some even traffic must flow through the two pairs.
If you run 6.0, then what kind of sensor you?
If the sensor supports virtualization, and then create a new virtual sensor and move one of your interface to the other virtual sensor pairs.
If the sensor 6.0 does not support virtualization (such as the IDS-4215), then there is a new option in 6.0 'inline-TCP-session-tracking-mode '. Set this option to "interface-and-vlan". Thus the sensor will track traffic on each interface pair independently in order to prevent more normalizer problems.
I don't know if the above information will help you to solve your particular problem.
Other things to check if it isn't.
RADIUS traffic may be triggering a signature.
Run "show events" on your sensor CLI and run your GANYMEDE connection to see if the signatures are triggers that may have a deny action.
You can even try setting an action event substitute for products-alert event for risk between 1-100 action and try again the "events to see the. There are a few signatures that don't create default alerts (intentionally), but will create alerts with the substitution of the event action. You can see if maybe one of them is raised.
(Don't forget to disable the substitution of products-alert action event when you're done diagnose.) Many of the signatures that do not produce a default alert can be quite noisy because they monitor to normal traffic and are juts parts/components of a Meta Signature, seeking the attack itself)
-
the AAA authentication enable default group Ganymede + activate
I implement CSACS 4.0. First of all on the client, I will apply aaa authenticatio / authorization under vty. The issure if I use the followin command
the AAA authentication enable default group Ganymede + activate
What happens if I connect via the console? I need to enter a name of user and password?
Here is my configuration
AAA new-model
Group authvty of connection authentication AAA GANYMEDE + local
the AAA authentication enable default group Ganymede + activate
authvty orders 15 AAA authorization GANYMEDE + local
RADIUS-server host IP
Radius-server key
Ganymede IP source interface VLAN 3
AAA accounting send stop-record an authentication failure
AAA accounting delay start
AAA accounting exec authvty start-stop group Ganymede +.
orders accounting AAA 15 authvty power group Ganymede +.
AAA accounting connection authvty start-stop group Ganymede +.
line vty 0 15
connection of authentication authvty
authorization orders 15 authvty
authvty connection accounting
accounting orders 15 authvty
accunting exec authvty
Any suggestion will be appreciated!
It should work because it is a guest message.banner whenever you try to connect (console/vty). I set it up on my router.
If you have banner motd, it will appear as well (see below). So, I have to remove it to get only the aaa banner & prompt is displayed:
************************************************************
Username: cisco, password: cisco (priv 15f - local) *.
************************************************************
Any unauthorized use is prohibited.
Enter your name here: User1
Now enter your password:
Router #.
The configuration more or less looks like this:
AAA new-model
AAA authentication banner ^ is forbidden to use CUnauthorized. ^ C
AAA authentication password prompt "enter your password now:
AAA-guest authentication username "enter your name here:
Group AAA authentication login default RADIUS
local authentication AAA CONSOLE connection
HTH
AK
-
Hello
I try to use an ACS for switch GANYMEDE + authentic. I'm getting an incompatibility of keys, but I know more actually to the definition of a key for GANYMEDE on the GBA unit. How can I reset / know where it is?
Thank you.
1. side ACS:
-Connect to ACS via web browser
-On the main menu of ACS, check the configuration of switch (called Client AAA) State under "Network Configuration - AAA Client".
-Check the details of the switch and the secret key said. You can re-enter the same key or set the new key (without spaces or characters).
-Compare or use this key in the switch, which is configured in the setting "radius-server."
-Save the config
2 switch
-Connection to the switch CLI (console/telnet/ssh)
-Scroll down to the "radius-server key" configuration line.
-Delete the existing key (normally / encrypted hash). Enter the same key - no more space or characters.
-Make sue you're pointing to the ACS server/IP address
-Do not save the config yet. Test the Ganymede + / authentication AAA to verify that the ACS server and the used switch button fix / identical.
I hope this helps. Pls note all useful message (s)
AK
-
Hello
I just put GANYMEDE on some IOS devices, I'm only using a default group that is configured to provide level 15 privileges. As I use the same default group on the vty and console I would expect access by 2 methods are the same, but when I telnet in I get 15 directly to the guest level of #, but when I console in I always get prompt for the secret to activate it.
All ideas
Concerning
Chris Ayres
Chris
You can find a behavior that Cisco has done for a long time (and probably for good reason). The authentication/authorization GANYMEDE someone directly implement default privilege mode works on the vty and does not work on the console.
The reasoning is that if you make a mistake in the configuration of the authentication/authorization (very easy to do - especially if your understanding of what you are doing is a little weak), it would be easy to lock you out of the unit. By default it works on vty and does not work on console (prividing far to recover from problems). There is a hidden command that allows you to also have it working on the console (be very careful that your config works correctly before you activate it on the console).
If you want it, try this:
authorization AAA console
HTH
Rick
-
Consumption of ISE GANYMEDE 2.0 license
Hi all
I was experimenting with GANYMEDE in ISE 2.0.1 and recognized that there is no basic licenses consumend when I connect a network configured device.
While when I connect with the RADIUS authentication, 1 base license is consumed per session.Is this behavior is intentional or a bug? As I intend to implement authentication GANYMEDE on a fairly large network, it would strongly reduce my costs when I do not have the device licenses.
GANYMEDE is a license of power. It consumes no basic licenses that apply to the area of RADIUS
Maybe you are looking for
-
Last location lost or stolen iPad
Hi all I lost my iPad two weeks ago, and no hope, I can't really find I tried to located using "find my iPhone" but the camera has no battery (or the person who 'found' cleared to zero my iPad) My question is: is there a way to access the "history" o
-
Is it true that once you replace a new hard drive for your laptop, the recovery media will never work because of a chip in the motherboard? I got a wonderful help here, but I just read on another post, that once you replace the disk, your screwed be
-
Pointer to jump to writing, letters astray, sentences most of the time erased completely
Pointer to jump to writing, letters astray, sentences most of the time erased completely, why this is happening?
-
of mcaffee microsoft live Essentials
IM using mcaffee total protection, so I decided to uninstall mcaffee and install microsoft live essentials and when im trying to open windows defender an error shows 0x800106ba
-
How to transfer music from an external hard disk files the reader thumb
I have my music on my external hard drive and I have a usb input on my car radio (up to 8 GB), but I tried to transfer playlists of hd for the thumb without result. I synchronized in wmp11 but also tried to add files to wmp, but the files on the hard