Switches: RADIUS or GANYMEDE?

Similar Questions

• RADIUS and GANYMEDE + authentication

  We authenticate our systems through dot1x. I also need to be able to authenticate our Cisco admins using the same ACS server. I see how to configure a switch to make the two GANYMEDE + and RADIUS, but I do not see how implement GBA to allow a switch to use GANYMEDE + and RADIUS.

  Can someone give me a pointer?

  Thank you

  You need to put in place once the authentication on the switch.

  AAA authentication login default group local Ganymede

  Group AAA dot1x default authentication RADIUS

  AAA authorization exec default group Ganymede + authenticated if

  Group AAA authorization network default RADIUS

  Cisco RADIUS-server host 2.2.2.2 keys

  Cisco GANYMEDE-server host 2.2.2.2 keys

  The GBA, you must add the switch twice.

  ACS---> network configuration---> add aaa-clinet

  Host name switch1

  IP: 3.3.3.3

  With the help of authentic: RADIUS IETF

  Add another switch

  SWITCH2 host name

  IP: 3.3.3.3

  With the help of authentic: Ganymede +.

  Kind regards

  ~ JG

  Note the useful messages

• RADIUS and Ganymede + running simultaneously?

  I have a Secure ACS 5.3.40 running GANYMEDE + and I need to also run 802.1 x radius to meet DISA requirements, I've been working on it for a week. I am unable to get the characteristics of work, all AD connections are already there for GANYMEDE + and so I'm not sure how config, Ray can someone help with the procedures.

  Hello

  in the configuration of the aaa you must specify the two authentication 802. 1 x that points to the RADIUS and peripheral administration of Ganymede.

  Configuration of the network device ACS apply both radius and Ganymede keys.

  There will be no conflict for the same as the two have different sets of commands.

  Thank you

  Please rate if useful...

• Can I use an ACS as RADIUS and GANYMEDE to the same ASA Server?

  I want to GANYMEDE to make the accounting of the SAA, meanwhile, the ASA need RADIUS for authentication ssl vpn. Is it possible to reach this object with only a CSA?

  Yes, you can use both. Allows you to add ASA as radius and Ganymede.

  ACS-->---> aaa-client network configuration

  (1) ASA---> 1.1.1.1---> authentic using Ganymede

  (2) ASA1---> 1.1.1.1---> optout by radius

  Don't forget the host name cannot be the same.

  Kind regards

  ~ JG

  Note the useful messages

• same host for radius and Ganymede

  Hello

  can I put a host (asa for example) twice in the acs Server? one for Ganymede to grant administrators access exec and the other for radius authenticate remote users.

  I don't want remote users to be able to get exec mode.

  Or how should I configure this?

  Yes, you can do it. Network configuration ON acs

  Add

  ASA---> 10.1.1.1---> Auth using Ganymede +.

  ASA1--> 10.1.1.1---> Auth using RADIUS

  Host name cannot be the same.

  Kind regards

  ~ JG

  Note the useful messages

• Interaction of Ganymede + and radius ACS 2.6 download PIX ACLs

  We have ACS v2.6 running and control our connection to remote, routers and switches access. We are now looking to add support for a PIX firewall internal and want to use downloadable ACS ACL for the PIX. (to control outbound traffic through the PIX for authenticated users)

  We have achieved this help attributes RADIUS of Cisco IOS/PIX

  [009\001] cisco-av-pair on ACS. (and ACL restrictions of access on access to users)

  However the problem we noticed is that any user is valid in our database of CiscoSecure or SecureID can authenticate and gain access to through the firewall, even if they are not allowed to do this (and as it is by default on PIX from inside to outside is allowed unlimited full access).

  Was then imposed restrictions on network access on the CiscoSecure ACS for our PIX - to allow only access of corresponding user groups, but it did not work with RADIUS only GANYMEDE + (I guess that's because the RADIUS does not support approval).

  We must work with GANYMEDE + and the passes of the ACS to the bottom of the ACL number/ID for the PIX for users allowed.

  Question: We want to use downloadable s ACL of ACS for the PIX (for reasons of central support) is possible using GANYMEDE + and if yes how we re CiscoSecure ACS suitable for the ACL example below;

  pix_int list access permit tcp any host 10.x.x.x eq 1022

  pix_int list access permit tcp any host 10.x.x.x eq 1023

  Thank you

  Download ACL works only with the RADIUS, as described here:

  http://www.Cisco.com/warp/public/110/atp52.html#new_per_user

  You can continue to set the ACL on the PIX itself and simply pass the ACL via GANYMEDE number (as shown here: http://www.cisco.com/warp/public/110/atp52.html#access_list), but you can actually spend the entire ACL down via GANYMEDE, sorry.

• Launch of RADIUS & Ganymede + simultaneously on GBA

  Hi all

  I currently have a Setup ACS running GANYMEDE + that makes the normal AAA things we need to do.

  I searched around online and can not know if I can implement the ACS to perform Radius and GANYMEDE + in parallel on the same box? I tried to add new clients and servers with the same IP address, but using RADIUS instead of Ganymede but GBA denied the hosts already exist.

  The reason why we want Radius is we test 802. 1 x and need a radius server to do.

  Any help would be greatly appreciated

  Thanks again

  Oli

  Hi Oli,

  Same device name that you use? If you do this don't. You cannot use same name of the device.

  Use the name of a different device with the same IP address and change of RADIUS and that should probably work.

  Kind regards

  Amjad

  Rating of useful answers is more useful to say "thank you".

• When no Ganymede + available-> connection with enabel PW

  Hello

  When I try to telnet my switch and the Ganymede server + is not available, I get an "authorization failed" message after typing the password enable :-(

  Here is some info:

  config switch:

  --------------

  AAA new-model

  AAA of default login authentication group Ganymede + activate

  AAA authentication login vtyauth group Ganymede + activate

  the AAA authentication enable default

  AAA authorization exec default group Ganymede +.

  Select the secret xxxxxxxx

  !

  radius-server ACS_SERVER_IP host

  RADIUS-server key xxxxxxxx

  !

  line vty 0 4

  password 7 xxxxxxxx

  connection of authentication vtyauth

  Debug aaa authentication:

  -------------------------

  1w0d: AAA: analyze name = tty2 BID type =-1 ATS = - 1

  1w0d: AAA: name = tty2 flags = 0 x 11 type = 5 shelf = 0 = 0 = 0 = channel 2 = 0 port adapter slot

  1w0d: AAA/MEMORY: create_user (0x524CC4) user = "ruser =" port = "tty2" rem_addr = "MY_IP_ADRESS" authen_type = ASCII = priv = 1 CONNECTION service

  1w0d: AAA/AUTHENTIC/START (3157593126): port = list 'tty2' = "vtyauth" action = LOGIN = LOGIN service

  1w0d: AAA/AUTHENTIC/START (3157593126): found the list vtyauth

  1w0d: AAA/AUTHENTIC/START (3157593126): method = Ganymede + (Ganymede +)

  1w0d: TAC +: send worm package AUTHENTIC/START = 192 id = 3157593126

  1w0d: AAA/AUTHENTIC (3157593126): status = ERROR

  1w0d: AAA/AUTHENTIC/START (3157593126): method = ENABLE

  1w0d: AAA/AUTHENTIC (3157593126): status = GETPASS

  1w0d: AAA/AUTHENTIC/CONT (3157593126): continue_login (user = '(undef)')

  1w0d: AAA/AUTHENTIC (3157593126): status = GETPASS

  1w0d: AAA/AUTHENTIC/CONT (3157593126): method = ENABLE

  1w0d: AAA/AUTHENTIC (3157593126): status = PASS

  1w0d: % LOGGER_FLUSHED-3-SYS: System was suspended from 00:00:00 for the console to debug output.

  1w0d: AAA/DISC/EXT tty2: 1002 / 'unknown '.

  1w0d: AAA/MEMORY: free_user (0x524CC4) user = "ruser =" port = "tty2" rem_addr = "MY_IP_ADDRESS" authen_type = ASCII = priv = 1 CONNECTION service

  Thank you!

  I would like to clarify a few permission options.

  Activate the mode is priv 15.

  Because of the line "exec authorization default aaa group Ganymede +" router wil request ACS to check that the user has private level 15, no matter it's the fallback solution. Your options are:

  1 set the Group of users in ACS to access a shell and especially of level 15 privileges.

  2. change your router config "default aaa authorization exec no" this is however less sure and not recommended.

  You can take "enable default of enable aaa authentication ' out of the config because you use Ganymede +, because as I said, if you use the authorization Ganymede + it's going to always check with ACS for this level of 15 private.

  See the attachment for a view where you enter at this level. By default, only the group can be configured like this, but there is a way to apply it to a user - this can be done by checking this attribute via the "interface Configuration" - then "Ganymede" options.

  Hope this helps, let us know the results.

• I am unable to connect with GANYMEDE + connection after the addition of aaa authorization network command

  Hello

  I test an aaa authentication switch when it does not communicate to ISE, and I found a strange behaviour. After that I added the aaa accounting and authorization authentication controls and reloaded the switch I was not able to connect to the switch with the GANYMEDE login

  The switch continued in cycles showing the banner give 3 times authentication failure message and then the cycle begins with the failed, banner and sign message

  I removed the aaa authorization network command and I reloaded the switch and I was able to connect successfully.

  could someone help me with this problem.

  Hi Nitesh-

  This command (... aaa authorization network) has nothing to do with the admin authorization on the n basis (in this case, the switch). This command applies to the network connections such as PPP, SLIP, etc.

  In addition, aaa authorization can be performed by Ray and not only GANYMEDE +. RADIUS is not too powerful and you can provide authorization command sets but you can always return roles and different levels of privilege.

  Have you tested the above configuration syntax? I did and it works as expected!

  Thank you for evaluating useful messages!

• Adding a user role for SAN switches

  I'll try to find the correct location in 3.3 ACS to add the following: roles = "network-admin". We have our SAN with Ganymede switches +. When one user other than admin connections, you get the role of "network operator". The Cisco MDS 9000 Family Troubleshooting Guide, version 3.x doc explains the role if you are using IOS/PIX Radius. Thank you.

  Hi Ed,

  Here is the link,

  http://www.Cisco.com/en/us/docs/storage/san_switches/MDS9000/SW/rel_2_x/San-OS/Configuration/Guide/cradtac.html

  If you are looking for:

  GANYMEDE + custom attributes can be set on a control access (ACS) server for various

  Services (for example, shell). The Cisco MDS 9000 family switches require custom GANYMEDE +.

  attribute of the shell of service to use for the definition of the roles.

  Cisco ACS GANYMEDE +.

  Shell: roles = "network-admin".

  Shell: roles * "network-admin".

  Cisco-av-pair * shell: roles = "network-admin".

  Cisco-av-pair * shell: roles * "network-admin".

  Cisco-av-pair = shell: roles * "network-admin".

  On GBA, if you go to: the Interface configuration, GANYMEDE + (Cisco IOS), check nex to: "display a window for each selected service in which you can enter custom GANYMEDE + attributes.

  Then, go to the configuration of groups and define the role information according to the above attributes.

  Hope that helps

  Kind regards

  ~ JG

• Shell exec user permission on ASA using IAS radius

  With the help of ASA 5540 - 8.0 (4) & trying to get approval for Shell EXEC (15) for the authenticated user fron IAS radius server. Used on the SAA aaa authorization command & specified attributes on the IAS radius as shown in the configuration guide, but still the user will be deposited into default exec level. I need to use the enable command to get the user to the privilege level of exec.

  Hi all

  Although the 'Exec authorization command' was introduced into the code ASA 7.1 the ASA does not support the feature AAA Exec permission yet, so it cannot be configured with RADIUS or GANYMEDE.

  The enhancement request has already been filed on it.

• ACS as Radius Server V4.1

  We plan to use our server ACS to act as a Radius server. Our ACS is used on Windows Server 2003 running V4.1 for Ganymede.

  I would like to know if ACS is to act as a Radius Server, what kind of questions we expect?

  looking for related information on the capabilities of benefits vs. warnings and pitfalls of this approach GBA?

  Thank you

  ACS can act as both as a server RADIUS and GANYMEDE,

  When you say what kinds of questions to expect: you need to check for the open caveats in release 4.1 of the ACS notes.

  http://www.Cisco.com/univercd/CC/TD/doc/product/access/acs_soft/csacs4nt/acs41/index.htm

• Authentication Radius 4.2 ACS and RADIUS Accounting

  Is it possible to configure 4.2 ACS to authenticate users of a wireless network (with autonomous APs) through RADIUS while I use the same ACS to provide the command represent the points of access via GANYMEDE +? This issue came out because when I configure the APs 'AAA Clients' under 'Network Configuration' of the ACS server (necessary config for authentication APs and end users), the authentication method used is the RADIUS (Cisco Aironet) and it prevents the generation GANYMEDE server command accounting reports under "reports and activities > GANYMEDE + Administration.

  Any idea on how to solve this problem?

  Thank you

  Antonio

  Hello

  Need to add a different hostname for the AP... IE, RPOS and APt, where you can use the same IP n but use radius for Ganymede and the other.

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• Cisco ACS 5.3 - attributes Radius, and "Administration/Shell device profiles.

  Can someone help me with that?

  Under ' profiles policy elements/authorization and permission to access/permissions/network "I defined a profile and the following attribute:
  Attribute = F5-LTM-user-role
  Type = unsigned integer 32
  Value = 300.

  My question is:
  How can I set the same as above using "Administration/Shell device profiles?

  There is a custom attributes tab, but I can't understand how to specify the field 'Type '. (On the custom attributes tab is there room for 2 fields and not 3 fields).

  Hello

  Just for my understanding you try using radius or Ganymede?

  Profiles of the shell are used for Ganymede and authorization profiles are used for RADIUS.

  Thank you

  Tarik

• Anyone know of a doc covering using ACS 5.3 to control the VLAN using GANYMEDE?

  Hello

  If someone could help with this, I'd appreciate it.

  I configured a system ACS 5.3 and all my groups etc fucniton corrcetly both for network access and for the Administration of the unit.

  However I am stuck trying to allow clients to authenticate on the page web of the router or the Web authentication, using GANYMEDE + between the router and the ACS5.3.

  I watched this and I need to configure a custom attribute of 'service' with the type bound and in relation to a permission policy.

  I think that the custom configuration attributes is where I'm stuck.

  Once agin thanks for any help

  Brian

  Your best bet is to use the RADIUS, ACS supports RADIUS and most of the time you try to users access to the network of your admins of device segment, and the best way to do that is using RADIUS versus Ganymede.

  Thank you

  Tarik Admani
  * Please note the useful messages *.