Secret to enable ACS
My dear where the menu's GBA to centralize "enable secret" so in router or a switch, there is no "enable secret" if it is already attributed to ACS. Anyway TQ
Go to Configuration of the Interface, GANYMEDE + (Cisco IOS), under the Advanced Configuration Options > check the option «Advanced GANYMEDE + Features»
After that, you will see the options to enable password.
Tags: Cisco Security
Similar Questions
-
where is the secret field shared for the ACS 5.3 server itself?
Hello
We currently have a distributed PR and DR ACS 5.3 installation, implemented with Ganymede and a unit RADIUS.
The RADIUS is AppResponse Xpert admin. used Opnet we try to intergrate AppResponse Xpert Admin with ACS.
The GUI for AppResponse Xpert Admin request the ip address of the radius server - IE our ACS, RADIUS port - is to say 1812 and 'secret' - I assume that means the secret shared real AEC itself (not the shared secret used by network devices).
On our ACS 4.2 systems, we have a field for a secret shared on the ACS itself Server (to allow replication?).
With the help of the search function for "Shared Secret" in pdf format "the User Guide for Cisco Secure Access Conrol system 5.3" has only found references to define one for network devices and not a ground for GBA is.»
A shared secret of the ACS server is still topical for the 5.x ACS system?
Hi Stuart,
To answer your question:
There is no shared secret for the ACS itself.
If the ACS needs to communicate with another device, you must define an AAA client and define a shared secret.
ACS 4, used this secret shared to protect/secure replication, the ACS 5, secured by encryption replication and not shared secrets (hash).
Rate if useful
-
Since the Migration to ACS 5.5.0.46 we continue to see the following message appears in the Inbox of alarm
Cisco Secure ACS alarm (REVIEW): the physical size of ACS db is more than 50% of its actual size.
Cisco Secure ACS - Alarm Notification
Severity: critical
Name of the alarm
System alarm [purge the database]
Cause/trigger
The physical size of ACS db is more than 50% of its actual size.
Alarm details
The physical size of ACS db is more than 50% of its actual size de.the size will be reduced after the purge ACS transaction log and compress ACS db.
September
Mon Mar 17 05:00:06 THIS 2014
ACS view Compression and backup database is set up and runs without error:
The work of backup stores a maximum of 4 months to a FTP server.
Backup: monthly
Incremental: weekly
DB: Compression enabled
Purge and incremental backup history Name Start Time End Time Status DatabasePurge-Job Mon Mar 17 04:00 THIS 2014 Mon Mar 17 04:00 THIS 2014 Completed as far as I can see the CLI avoid a DB oversized:
ACS21/acsadmin(config-ACS) # acsview show-dbsize
Actual size of DB (bytes): 1585192960
Real DB size (GBs): 1.48
DB size (bytes): 1605386240
Physical size DB (GBs): 1.5
Physical ACSviewlog file size (GBs): 0
Output ACS21/acsadmin(config-ACS) #.ACS21 / admin # display the status of the acs application
Role of the ACS: PRIMARY
Process of database ' ' running
'Management' running process
'Runtime' running process
"Adclient" process running
'Ntpd' running process
"View-database" running process
"View-jobmanager' running process
"View-alertmanager' running process
"Notice-collector' running process
"View-logprocessor' running processLooking at the user guide:
"The ACS database must be compressed during the maintenance operation. You can run the command acsview-db-compress acs-config mode to reduce the physical size of the database of view when there is a difference between the physical size and the actual size of the database to view. ACS 5.5 stops only the collector newspaper services during compress the operation and will be operational after the compression operation is complete. You must enable the recovery of the newspaper feature retrieve messages received during the compression of database operation.
In ACS 5.5, database compression operation is automated. You can check the box enable ACS view compress database to compress the ACS database view automatically daily at 05:00 the compression of database operation is executed every day automatically at 05:00 whenever needed. »
I tried to manually compress DB by "acsview-db-compress' with no effect.
Hello
You are running in the CSCum51180bug. The alarm should be a warning, not criticism and should be triggered only when the physical size is greater than the actual size of more than one gigabyte (in your case, the difference is very small, 1.5 vs 1.48).
The fix must be present on a future update.
Javier Henderson
Cisco Systems
-
Lenovo Vibe turned problem broadband USA
Hello
I am writing because I need help for Lenovo Vibe bought shot last week.
Unfortunately activating action of the Nova launcher called a secret menu (enabled, I found out later since the keypad of the phone with the code * # * # 4636 # * # *), by selecting "phone information" and chased by the menu "select the radio band"window appeared"Set GSM / UMTS band"with one choice only"American Group".»» Unconsciously, I typed on this point and from that moment, the phone has no reception, it seems that it is set to American groups. I have found no way to restore the tape.
I tried to reset to factory settings, but the problem has not been resolved.
I also tried to reinstall a rom through the Miflash procedure and a rol qsp, but nothing, the problem of non receipt of the remains.Thanks to anyone who can help me
-
ASA - 1 >; en password: *, stuck at this point
Hello
I'm stuck at this point, pls advise, 9.x, OS
ASA - 1 > sh curpriv
Username: admin1
Current privilege level: 1
Current Mode/s: P_UNPR
ASA - 1 > en
Password: *---> > the enable password is cisco, but does not work
Password:Here is the config
Console to enable AAA authentication LOCAL ACS
Console Telnet AAA authentication LOCAL ACS
authentication AAA ssh console LOCAL ACS
ACS LOCAL console for AAA of http authentication
AAA accounting command privilege 15 ACS
AAA accounting enable ACS console
AAA accounting ssh console ACS
Console telnet AAA accounting ACS
AAA authorization exec-authentication serverenable password cisco
Thank you all
Hi Ibrahim.
It seems that your enable password is configured to be extracted from ACS server.
Console to enable AAA authentication LOCAL ACSPlease check on ACS or reset your password. If you have access to the consoles and remove the command and test.
Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
GANYMEDE configuration on a 1900
Forgive me if this question belongs on the Forum of General safety
I read the Document ID:9906 configuration GANYMEDE + on the catalyst 1900.
I have a 1924 configuration that has GANYMEDE on it. The switch is not on my network yet... I use a cable from the console to configure. I tftp config running on in NVRAM. Some how in the process, I have a level 15 password enable xxxxx left in the config.
When I log in the sw and go into enable mode... Ganymede should expire several times until I can get in.
My question has to do with enable secret password vs have enable password level 15
Right now I have both... To make my configurations correspond to what is in the rest of my network that is online, I need to remove the level 15 of the enable password xxxx (xxxx pretending is the pw) command because its pw is not encrypted.
Which leaves me with the password enable secret lonely.
My concern is when I take off the level of password enable 15... I am not able to get back into my switch!
Enable-use-Ganymede
and
password server GANYMEDE last resort
are both in my configuration
Can I take the xxxx level 15 password enable leaving the enable secret in and not locked switch?
Keep in mind that the 1924 is not on my network yet... I have to drive hundreds of miles to install it and don't want to get in trouble when I'm there with her.
Thanks for your help.
Hello
The main difference between the enable password and the enable secret password is that the encrypted enable password uses a reversible encryption function and the password plaintext can be recovered by using the encrypted password. The secret password enable, however, uses a non-reversible encryption function.
Is the only time where the enable password is used if the enable secret password is disabled (or you are using an old image that does not support the enable secret password).
Therefore, it should be perfectly safe to remove the enable password. You will not get locked switch as long as you know the enable secret password.
Hope that help - rate pls post if it does.
Paresh
-
IP over different WAN, source routing ip range? [cisco 891]
Hi all!
Here I am again asking for help! :)
Here's the goal: I want a set of computers to use a WAN and another using the other WAN based on the IP address range.
I use a router cisco 891. Fastethernet0 is a WAN, GigabitEthernet8 is the other WAN and gigabitethernet 0 to 7 are 8 switch of the router ports.
From now on, I have my two internet access works very well, each of them is connected to a WAN port on my router. I have no problem have all my computers using a WAN or the other, or even load balancing between them, but what I want is to fix some computers with internet access and the other computer to use other internet access.
I don't know how to do this, I looked in the delivery by source IP address, but I don't really know how to do. I saw something on the basis of routing policy, but I can only apply these policies on incoming packets that I seem not to be able to apply these policies to one of the switch port of the router. I would need to use the WAN port to connect my incoming LAN in, but then I would not be enough WAN port for both of my internet connections.
Internet gateway #1 is 172.26.2.254
#2 connection gateway is 192.168.1.254
Here is my current config:
I understand why I have bad connection whith this config since it is load balancing between the road two default and send only one of my two wan according to the INVESTIGATION period, but I don't know what to do to say precilesy Beach, the beach of IP #2 and IP #1 to go go here.Cisco891(config)#do sh run Building configuration... Current configuration : 3833 bytes ! ! Last configuration change at 15:11:43 UTC Tue Oct 20 2015 by *********** ! NVRAM config last updated at 14:58:11 UTC Tue Oct 20 2015 by *************** ! NVRAM config last updated at 14:58:11 UTC Tue Oct 20 2015 by ************** version 15.3 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname Cisco891 ! boot-start-marker boot-end-marker ! aqm-register-fnf ! enable secret 5 ************************/ enable password ************************ ! no aaa new-model ! ! ! ! ! ! ! ip dhcp excluded-address 172.26.1.1 172.26.1.49 ip dhcp excluded-address 172.26.1.100 172.26.1.254 ip dhcp excluded-address 10.10.20.1 10.10.20.49 ip dhcp excluded-address 10.10.20.100 10.10.20.254 ! ip dhcp pool vlan1pool network 172.26.1.0 255.255.255.0 default-router 172.26.1.254 dns-server 208.67.222.222 208.67.220.220 ! ! ! ip domain name lnc360.fr ip name-server 208.67.222.222 ip name-server 208.67.220.220 ip cef no ipv6 cef ! ! ! ! ! multilink bundle-name authenticated ! ! ! ! ! ! ! license udi pid C891F-K9 sn ******************************* ! ! username ******************** privilege 15 secret ************************************* ! ! ! ! ! no ip ftp passive ip ssh time-out 60 ip ssh logging events ip ssh version 2 ! ! ! ! ! ! ! ! ! ! interface BRI0 no ip address encapsulation hdlc shutdown isdn termination multidrop ! interface FastEthernet0 ip address 192.168.1.1 255.255.255.0 ip nat outside ip virtual-reassembly in duplex auto speed auto ! interface GigabitEthernet0 switchport mode trunk no ip address ! interface GigabitEthernet1 switchport mode trunk no ip address ! interface GigabitEthernet2 switchport mode trunk no ip address ! interface GigabitEthernet3 switchport mode trunk no ip address ! interface GigabitEthernet4 switchport mode trunk no ip address ! interface GigabitEthernet5 switchport mode trunk no ip address ! interface GigabitEthernet6 switchport mode trunk no ip address ! interface GigabitEthernet7 switchport mode trunk no ip address ! interface GigabitEthernet8 ip address 172.26.2.10 255.255.255.0 ip nat outside ip virtual-reassembly in duplex auto speed auto ! interface Vlan1 ip address 172.26.1.254 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Vlan2 ip address 10.10.10.254 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Async3 no ip address encapsulation slip ! ip forward-protocol nd ip http server ip http authentication local no ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ! ip nat inside source list LAN_PCs interface GigabitEthernet8 overload ip nat inside source list LAN_servers interface FastEthernet0 overload ip route 0.0.0.0 0.0.0.0 172.26.2.254 ip route 0.0.0.0 0.0.0.0 192.168.1.254 ! ip access-list extended LAN_PCs deny ip 172.26.1.0 0.0.0.31 any deny ip 172.26.1.112 0.0.0.15 any deny ip 172.26.1.240 0.0.0.15 any permit ip 172.26.1.0 0.0.0.255 any ip access-list extended LAN_servers permit ip 10.10.10.0 0.0.0.255 any permit ip 172.26.1.0 0.0.0.31 any permit ip 172.26.1.112 0.0.0.15 any permit ip 172.26.1.240 0.0.0.15 any ! ! ! control-plane ! ! ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default ! ! ! ! ! line con 0 no modem enable line aux 0 line 3 modem InOut speed 115200 flowcontrol hardware line vty 0 4 privilege level 15 password 7 ****************************************** login local transport input ssh transport output ssh line vty 5 15 password 7 *********************************************** login local transport input telnet transport output telnet ! scheduler allocate 20000 1000 ntp update-calendar ntp server 0.europe.pool.ntp.org ! end
Thank you!
Hello
Apply the ACB on the SVI strategy ' sof the VLAN
int vlan 1
intellectual property policy map route ACBint vlan 2
intellectual property policy map route ACBRES
Paul
-
I entered "soft secret enable", and now I'm locked up. A question mark after 'enable secret' says I can enter "line". This is not the case, I had to enter 0 or 5, I'm not. I tried
soft and all the variations. I don't want to break if I can avoid it. Anyone know what I can to get enable privelages? Thank you If you used "soft secret enable" then soft is your password. It will be used by default 0 (no encrypted password that follows).
There is probably a typo when you typed soft because it should work.
If there are still questions of password recovery will be your only option to get into the router.
I hope it helps.
PK
-
Unable to switch to the privilege level using password set using ACS enable
Hi all
I am not able to not be able to visit the privilege level to help enable password set using ACS 1121 (5.4.0.46).
Please find details of the ASA-
ASA5580-20
version of the software - 9.1LAB - FW / see the law # run | I have aaa
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + (inside) host 192.168.x.x
GANYMEDE + LOCAL console for AAA of http authentication
Console telnet authentication GANYMEDE + LOCAL AAA
AAA authentication enable console LOCAL + GANYMEDE
authentication AAA ssh console GANYMEDE + LOCAL
Console telnet accounting AAA GANYMEDE +.
AAA accounting console GANYMEDE + ssh
AAA accounting enable console GANYMEDE +.
No vpn-addr-assign aaaI created the Shell profile so & given privilege 15 it.please find wink 1 similarly in word doc attached
However, when I try to create the service profile I get the error message, please find snap 2 in word doc attached.
Kindly share your expertise.
Hello Dominic,.
For authorization privileges to take effect, you must add the following command to your configuration on the ASA:
AAA authorization exec-authentication server
After adding it, the ASA will take into account the level of privilege that are sent by the ACS.
Associated with the error you are getting on the graphical interface of the ACS, please make sure that you are using a browser supported for ACS 5.4 version based on the release notes:
http://www.Cisco.com/c/en/us/TD/docs/net_mgmt/cisco_secure_access_contro...
Note: Please mark it as answered as appropriate.
-
Question of IOS 15.4 enable Secret
Hello
My understanding is that secret enable type 4 is a concern for safety and the control of type 4 is frowned upon in IOS 15.4 M.
I would like to create an enable secret using a password in plaintext and encrypted it is not visible from the command line or the configuration file. I have woulkd like to be able to "copy" this password to enable secret on other devices as well. Is there a way to create an enable secret password in plain text and have the router hash/encrypt?
Thank you!
Brett
Simply type:
Select the secret
You can then copy the plain text or encrypted command to another device version.
PS. I have written a password cracker 5 type in javascript. It is faster on Chrome. If you can crack the password with this then you know that you have chosen a weak password.
http://www.IFM.NET.nz/cookbooks/Cisco-IOS-enable-secret-password-cracker.html
If you use IOS 15.4 as you indicate, they you can use the much much much stronger algorithm scrypt.
activate the scrypt secret type of algorithm
Once more, you can copy and paste versions either plain or encrypted line to another Cisco router and run perfectly.
-
Passwords enable ISE device Administration (ACS) integrating with Active Directory
I'm working on a standalone application ISE and running into a problem where the password to enable for a device is not shoot properly. I have the original connection related AD and I policy conditions/results/sets all as they should be working. My test run is a 2960 S. I tried to set up ' group aaa authentication enable default
Activate ', but the only way I could do a login enabled with which was if the user has configured locally in ISE identity management > identity > users. Is there something that I missed that tie will enable passwords for a group active directory as I work for the initial logon? I see just a mistake with your failure to enable aaa authentication enable. You must specify the Group of Ganymede.
Right now, I don't have access to my lab with ISE.
Here's my config for switches used with ACS.
AAA authentication login GANYMEDE-SRV Group Ganymede + local
local authentication AAA Console connection
Group AAA dot1x default authentication RADIUS
AAA authorization exec GANYMEDE-SRV Group Ganymede + local
AAA authorization commands 15 GANYMEDE-SRV Group Ganymede + local
Group AAA authorization network default RADIUS
AAA accounting exec GANYMEDE-SRV arrhythmic group Ganymede +.
orders accounting AAA 15 GANYMEDE-SRV arrhythmic group Ganymede +.If you give me all out maybe we can understand why your GANYMEDE ISE works do not with the AD. I see no reason except a misconfiguration or another issue.
Just to go to the mode, you need more aaa authentication command activate by default enable. This activation mode is pushed to the user if he gets the privilege 15. Your problem should be on the profile or politics. With the approval journal, we can see whether or not ISE pushes politics and why?
-
Enable AAA fails on the second ACS server
I have 2 servers Windows 2003 4.2 ACS, who authenticate with AD. I have configured authentication GANYMEDE + both for my PIX 515 running version 7.24. GANYMEDE + authentication works fine on both. However, when I use the 'aaa authentication enable console LOCAL ProsperAdminAuth', the enable password only works with the first ACS server. When the first server is unavailable, it fails on the second ACS server and authentication failed on ACS "ACS invalid password" reports. It does not allow the LOCAL password. I checked all the password and there is no problem there. I know that for you, because GANYMEDE auth works. Someone at - he seen elsewhere issue or know what I might try?
Thank you
Vivek
Hello
Configuration of external database is not replicated between servers ACS so my guess here that is on your ACS secondary if you go to the external-> unknown user policy user databases, you will find that under configure enable password behavior you are on "internal data" instead of "The database which the user profile is required."
-Jesse
-
How to turn off turn on privilege for ACS Ganymede +.
I have an MSFC with the following configuration.
AAA new-model
AAA authentication login default group Ganymede + local
AAA authorization exec default group Ganymede + local
orders accounting AAA 15 by default start-stop Ganymede group.
I have an ACS v3.0 under NT.
I have setup an advanced option of GANYMEDE + in the ACS which can activate the privileges for users. However, the user can still connect to the MSFC and question 'enable the command '.
Is there a better way on the ACS to refuse a user to run the 'enable' command so that it can not go mode even though it may have the secret password that is located in the MSFC.
Thank you
David
David
You can make consent orders and refuse this command 'enable '.
So now the router, you will have:
AAA authorization commands 0 default local taca group
The GBA, so that the user, under the authority of command, add the command like enable, deny arguments. '. Make sure you also unlisted arguments have denied.
Once permission to order had been enabled on the router, each user will be checked for authorization. So for other users, in the GBA box, make sure that you have - unmatched orders Cisco IOS updated allowed and also arguments unlisted allowed nec.
Make first Chang on GBA and then add the router config.
Thank you
Nisha
-
Cisco ACS authentication issues
Hi all
I have just set up my ACS for Windows Server. It runs version 4.1 software. I have problems for authentication. I have my setup in the GUI of the ACS use Ganymede to authenticate the AAA Clients. I have the key in the switch and the corresponding keys to ACS server. I have facility users. Here's my config AAA on the switch...
AAA new-model
AAA authentication login default group Ganymede + local
the AAA authentication enable default group Ganymede + activate
Here is the information of debugging on Ganymede
183757: 2 sep 10:14:22.131 edt: TAC +: send worm package AUTHENTIC/START = 192 id = 2789804961
183758: 2 sep 10:14:22.131 edt: TAC +: using Ganymede server-group "Ganymede +" list by default.
183759: 2 sep 10:14:22.131 edt: TAC +: opening TCP/IP 10.11.8.200/49 Timeout = 5
183760: 2 sep 10:14:22.135 edt: TAC +: handle opened TCP/IP 0x80E767B8 to 10.11.8.200/49
183761: 2 sep 10:14:22.135 edt: TAC +: 10.11.8.200 (2789804961) AUTHENTIC/START/CONNECTION/ASCII queued
183762: 2 sep 10:14:22.335 edt: TAC +: (2789804961) AUTHENTIC/START/CONNECTION/ASCII processed
183763: 2 sep 10:14:22.335 edt: TAC +: received bad AUTHENTIC package: length = 6 expected 128683
WC2950-12 #.
183764: 2 sep 10:14:22.335 edt: TAC +: invalid package AUTHENTIC/START/CONNECTION/ASCII (control keys).
183765: 2 sep 10:14:22.335 edt: TAC +: connection TCP/IP closing 0x80E767B8 to 10.11.8.200/49
183766: 2 sep 10:14:22.339 edt: TAC +: using Ganymede server-group "Ganymede +" list by default.
183767: 2 sep 10:14:22.339 edt: SSH1: password for wcromwell authentication failure
I have the same keys on the AAA server as I do on my switch...
Thank you
Please check the secret key of NDG and main aaa clients. NDG substitute main aaa clients.
Make sure you have the right key in NDG >
Kind regards
~ JG
Note the useful messages
-
ACS appliance 4.2 - database replication internal problem
HelloW
I'm yunchoul jung in Korea
now I'm setting up ACS unit 1113 ver4.2
in internal, primary and secondary database replication server ACS cannot repliacate the database due to the configuration of SELF (127.0.0.1) by default in the configuration of the network.
so I have a guestion, how do I replace 127.0.0.1 address to the ip address you want or delete SELF (127.0.0.1) address
I don't understand a procedure of solution in the documentation below.
Thank you for your help in advance
Problem: 127.0.0.1 is a reserved address
You have two units of the ACS SE 1113 and replicate the database internal from the primary to the secondary.
but you notice this error message in the secondary unit:
Replication of database of ACS
denied - incompatibility of secret shared incoming When you try to change the key of course AAA under Network Configuration Server error message is
returned.
This is due to a known bug,
Symptom: 127.0.0.1 address appears in ACS and the replication fails
Conditions:
Install Acs S/W version 4.2.0.124
Disable the network adapter
Enable network card
* Go to the network settings page.
* Should see the AA server IP to be a return loop
Workaround solution:
For windows: remove the 127.0.0.1 entry
For the device: back up the database, install ACS on windows, restore, delete
the entry, make a backup and restore on the device
Kind regards
~ JG
Note the useful messages
Maybe you are looking for
-
It started with the new mozilla update October 3, 2015. I have no error message.
-
I'm trying to install bootcamp 8.1.but window 6 showing this error "' an error occurred when copying windows installation files" " "a lot of times (6, 7 times) I ran bootcamp and whenever I need to download window support software.i m using el capita
-
Connect to a wifi account does not open a place for the password
I visit a place with good wifi. On my MacBook Air I can connect to the wifi local account by selecting the account and enter its password. However, when I try to do the same with my iPhone 4 s no space happens for me to enter the password. I rebooted
-
HP Slate 7 How do I record voice with the microphone
I want to voice recording, live by using the microphone, but I don't know how to do it. Can someone help me please. Thank you
-
Impossible to get Age of Empires conquerors on Win XP to start
Installed Age of Empires conquerors on Windows XP, but cannot get it to start. When put CD in CD-ROM drive's error message 'Please insert the CD OK..' so cannot run because he thinks that I have the wrong CD in the CD-ROM. But I had the same CD in th