the AAA authentication

Hello

Just 2 8164 unpacket new switches. This is my first network hardware dell that I use. I have a little trouble understanding authentication methods. I'm used to using a database of the local user. I managed to create a list of login authentication which checks the local user database. But I stil have to Pentecost autheticate an enable password when I enter enable promt.

Is it possible to login and go straight through the mode exec user without password enable?

Hello

If you have a radius or Ganymede server you won't have to use the enable password if you define methods like the default method and user account appropriate to record level in sound. FTP://FTP.Dell.com/manuals/all-products/esuprt_ser_stor_net/esuprt_powerconnect/PowerConnect-8100_Reference%20Guide_en-us.PDF page 242

Tags: Dell Tech

Similar Questions

  • the AAA authentication enable default group Ganymede + activate

    I implement CSACS 4.0. First of all on the client, I will apply aaa authenticatio / authorization under vty. The issure if I use the followin command

    the AAA authentication enable default group Ganymede + activate

    What happens if I connect via the console? I need to enter a name of user and password?

    Here is my configuration

    AAA new-model

    Group authvty of connection authentication AAA GANYMEDE + local

    the AAA authentication enable default group Ganymede + activate

    authvty orders 15 AAA authorization GANYMEDE + local

    RADIUS-server host IP

    Radius-server key

    Ganymede IP source interface VLAN 3

    AAA accounting send stop-record an authentication failure

    AAA accounting delay start

    AAA accounting exec authvty start-stop group Ganymede +.

    orders accounting AAA 15 authvty power group Ganymede +.

    AAA accounting connection authvty start-stop group Ganymede +.

    line vty 0 15

    connection of authentication authvty

    authorization orders 15 authvty

    authvty connection accounting

    accounting orders 15 authvty

    accunting exec authvty

    Any suggestion will be appreciated!

    It should work because it is a guest message.banner whenever you try to connect (console/vty). I set it up on my router.

    If you have banner motd, it will appear as well (see below). So, I have to remove it to get only the aaa banner & prompt is displayed:

    ************************************************************

    Username: cisco, password: cisco (priv 15f - local) *.

    ************************************************************

    Any unauthorized use is prohibited.

    Enter your name here: User1

    Now enter your password:

    Router #.

    The configuration more or less looks like this:

    AAA new-model

    AAA authentication banner ^ is forbidden to use CUnauthorized. ^ C

    AAA authentication password prompt "enter your password now:

    AAA-guest authentication username "enter your name here:

    Group AAA authentication login default RADIUS

    local authentication AAA CONSOLE connection

    HTH

    AK

  • The AAA authentication configuration

    We have ACS server 3.1 to AAA for authentication for all routers and switches. I want each person to connect the router using its own id, password password and activate. If the ACS server is unavailable, I want to have different id, password and enable password for console and telnet access. What is the right way to do this? I also want to follow all orders entered on the router.

    That's what I have:

    AAA new-model

    AAA authentication login default group Ganymede + local

    enable AAA authentication login no_tacacs

    the AAA authentication enable default group Ganymede + line

    AAA authorization exec default group Ganymede + local

    AAA authorization commands 15 default group Ganymede + local

    AAA accounting exec default start-stop Ganymede group.

    orders accounting AAA 15 by default start-stop Ganymede group.

    !

    username admin password 7 xxxxxxxxxxxxxxxx

    !

    !

    Line con 0

    connection of authentication no_tacacs

    line to 0

    line vty 0 4

    password 7 xxxxxxxxxxxxxxxxxxxxxxxx

    !

    Yes, it's Joy on the right. Thank you, Renault

  • Excluding the lines of Terminal Server in the AAA authentication

    Hi all

    Hope you can help, I'm trying to find a solution to exclude only the following line port by using the AAA authentication (ACS GANYMEDE +) on a map of Terminal Server on a Cisco 2600 router.  Does anyone know how to do this, or point me in the right direction to solve?

    I've included the output below:

    AAA authentication login default group Ganymede + local
    AAA authorization exec default group Ganymede + local
    AAA accounting exec default start-stop Ganymede group.
    AAA accounting network default start-stop Ganymede group.
    AAA accounting default connection group power Ganymede
    AAA accounting system default start-stop Ganymede group.
    AAA - the id of the joint session

    line 41
    session-timeout 20
    decoder location - XXXXXX XXXXXX BT
    No banner motd
    No exec-banner
    absolute-timeout 240
    Modem InOut
    No exec
    transport of entry all
    StopBits 1
    Speed 38400

    Is it a question of disabling the command line or using a defined group?

    Thanks a lot for your help.

    Jim.

    Hi Jim

    You may need to create another group for authentication to the and send your AAA configuration

    line to 0

    connection of authentication aux_auth

    AAA authentication login aux_auth line

    You can also configure a username local/pw and map it on the group to here...

    Console and telnet would still use the configured default group, or you can specify specific groups:

    Line con 0

    console login authentication

    line 4 vty0

    vty authentication login

    and specify the aaa authentication settings individually...

    I hope this helps... all the best

    REDA

  • The AAA authentication not working method and 'by default' list

    Guys,

    I hope someone can help me here to the problem of the AAA. I copied the configuration and debugging below. The router keeps using username/password local name even if the ACS servers are accessible and functional. To debug, it seems he keeps using the method list 'default' ignoring GANYMEDE config. Any help will be appreciated

    Config

    **********************************

    AAA new-model

    !

    username admin privilege 15 secret 5 xxxxxxxxxx.

    !

    AAA authentication login default group Ganymede + local

    the AAA authentication enable default group Ganymede + activate

    authorization AAA console

    AAA authorization exec default group Ganymede + local

    AAA authorization commands 15 default group Ganymede + local

    AAA authorization default reverse-access group Ganymede + local

    orders accounting AAA 0 arrhythmic default group Ganymede +.

    orders accounting AAA 15 by default start-stop Ganymede group.

    Default connection accounting AAA power Ganymede group.

    !

    AAA - the id of the joint session

    !

    RADIUS-server host x.x.x.x

    RADIUS-server host x.x.x.x

    RADIUS-server host x.x.x.x

    RADIUS-server host x.x.x.x

    RADIUS-server application made

    RADIUS-server key 7 0006140E54xxxxxxxxxx

    !

    Ganymede IP interface-source Vlan200

    ***************************

    Debugs

    002344: 5 Dec 01:36:03.087 ICT: AAA/BIND (00000022): link i / f

    002345: Dec 5 01:36:03.087 ICT: AAA/AUTHENTIC/LOGIN (00000022): choose method list "by default".

    002346: Dec 5 01:36:11.080 ICT: AAA/AUTHENTIC/LOGIN (00000022): choose method list "by default".

    core01 #.

    002347: Dec 5 01:36:59.404 ICT: AAA: analyze name = tty0 BID type =-1 ATS = - 1

    002348: Dec 5 01:36:59.404 ICT: AAA: name = tty0 flags = 0 x 11 type = 4 shelf = 0 = 0 = 0 = 0 = 0 channel port adapter slot

    002349: Dec 5 01:36:59.404 ICT: AAA/MEMORY: create_user (0 x 6526934) user = "admin" ruser = "core01" ds0 = 0 port = "tty0" rem_addr = "async" authen_type = service ASCII = NONE priv = 15 initial_task_id = '0', vrf = (id = 0)

    002350: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Port = "tty0" list = "service = CMD

    002351: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/CMD: tty0 (2162495688) user = "admin".

    002352: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send service AV = shell

    002353: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send cmd = AV set up

    002354: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV terminal = cmd - arg

    002355: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send cmd - arg = AV

    002356: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): found the 'default' list

    002357: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): method = Ganymede + (Ganymede +)

    002358: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC +: (2162495688): user = admin

    002359: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC +: (2162495688): send service AV = shell

    002360: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC +: (2162495688): send cmd = AV set up

    002361: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC +: (2162495688): send AV terminal = cmd - arg

    002362: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC +: (2162495688): send cmd - arg = AV

    Enter configuration commands, one per line.  End with CNTL/Z.

    core01 (config) #.

    002363: Dec 5 01:37:04.261 ICT: AAA/AUTHOR (2162495688): permission post = ERROR

    002364: Dec 5 01:37:04.261 ICT: tty0 AAA/AUTHOR/CMD (2162495688): method = LOCAL

    002365: Dec 5 01:37:04.261 ICT: AAA/AUTHOR (2162495688): position of authorization = PASS_ADD

    002366: Dec 5 01:37:04.261 ICT: AAA/MEMORY: free_user (0 x 6526934) user = "admin" ruser = "core01" port = "tty0" rem_addr = "async" authen_type = ASCII service = NONE priv = 15

    core01 (config) #.

    Ganymede + accessible servers use source vlan 200. Also in the Ganymede server + can you check if the IP address for this device is configured correctly and also please check the pwd on the server and the game of this device.

    As rick suggested sh Ganymede would be good as well. That would show the failures and the successes

    HTH

    Kishore

  • The AAA authentication: not configured

    I have cisco 851 using ccp to configure EASY VPN

    I click on TEST VPN SERVER, and then click Start the State shows successful

    When I tried to connect a client I mm_no_state

    When I considered the report of the test I found

    The AAA authentication: not configured

    My AAA

    AAA new-model

    !

    !

    AAA authentication login tgcsusers local

    AAA authorization tgcsvpn LAN

    !

    AAA - the id of the joint session

    I have also attached my config

    Ideas or thoughts?

    You will need to get my client work...

    I logged by user name password you provided.

    Please check the pictures I downloaded to you.

    Good night, sleep tight.

    Thank you

    Rizwan James

  • The AAA authentication and VRF-Lite

    Hello!

    I encountered a strange problem, when you use authentication Radius AAA and VRF-Lite.

    The setting is as follows. A/31 linknet is configured between PE and THIS (7206/g1 and C1812), where the EP sub-si is part of a MPLS VPN and VRF-Lite CE uses to maintain separate local services (where more than one VPN is used..).

    Access to the this, via telnet, console etc, will be authenticated by our RADIUS servers, based on the following configuration:

    --> Config start<>

    AAA new-model

    !

    !

    Group AA radius RADIUS-auth server

    Server x.x.4.23 auth-port 1645 acct-port 1646

    Server x.x.7.139 auth-port 1645 acct-port 1646

    !

    AAA authentication login default group auth radius local

    enable AAA, enable authentication by default group RADIUS-auth

    ...

    touch of 1646-Server RADIUS host x.x.4.23 auth-port 1645 acct-port

    touch of 1646-Server RADIUS host x.x.7.139 auth-port 1645 acct-port

    ...

    source-interface IP vrf 10 RADIUS

    ---> Config ends<>

    The VRF-Lite instance is configured like this:

    ---> Config start<>

    VRF IP-10

    RD 65001:10

    ---> Config ends<>

    Now - if I remove the configuration VRF-Lite and use global routing on the CE (which is OK for a simple vpn installation), AAA/RADIUS authentication works very well. "" When I activate transfer ip vrf "10" on the interface of the outside and inside, AAA/RADIUS service is unable to reach the two defined servers.

    I compared the routing table when using VRF-Lite and global routing, and they are identical. All roads are correctly imported via BGP, and the service as a whole operates without problem, in other words, the AAA/RADIUS part is the only service does not.

    It may be necessary to include a vrf-transfer command in the config of Group server as follows:

    AAA radius RADIUS-auth server group

    Server-private x.x.x.x auth-port 1645 acct-port

    1646 key ww

    IP vrf forwarding 10

    See the document below for more details:

    http://www.Cisco.com/en/us/partner/docs/iOS/12_4/secure/configuration/guide/hvrfaaa.html

  • The AAA authentication &amp; accounting using the command of Ganymede-orders

    In the page of the cisco Remote Access Companion guide 394 book we got these configuration lines:

    RTA (config) #tacacs - server host 192.168.0.11

    RTA (config) #tacacs - host 192.168.0.12 server

    RTA (config) #tacacs - server key topsecret

    RTA (config) #aaa new-model

    Ganymede + RTA (config) #aaa authentication login default group

    If I want to add to the configuration above, the following command:

    RTA (config) #aaa accounting connection defult stop / start Ganymede +.

    Is it necessary that the above lines be in a specific order when I configure the RTA?

    No, the order in which you enter commands doesn't matter.

  • The AAA authentication failure

    I have a 2500 with configured radius server controller with safety as the WPA system. Few users authenticate not since yesterday (they were connected before) with the same user credentails in another laptop sound work. All a both few customers is not authenticate.

    Here are the logs of problem with the command show debugging client client mac address

    (Cisco Controller) > * Dot1x_NW_MsgTask_3: 18:30:37.487 Mar 20: 98:03:d8:7 d: d0:83 received EAPOL START of mobile 98:03:d8:7 d: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:37.487 Mar 20: 98:03:d8:7 d: d0:83 dot1x - moving d mobile 98:03:d8:7: d0:83 in the State of connection

    * Dot1x_NW_MsgTask_3: 18:30:37.487 Mar 20: 98:03:d8:7 d: d0:83 send request/identity EAP to d 98:03:d8:7 mobile: d0:83 (EAP Id 2)

    * Dot1x_NW_MsgTask_3: 18:30:37.493 Mar 20: 98:03:d8:7 d: d0:83 EAPPKT EAPOL received from mobile 98:03:d8:7 d: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:37.493 Mar 20: 98:03:d8:7 d: d0:83 response received identity (count = 2) d 98:03:d8:7 mobile: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:37.493 Mar 20: 98:03:d8:7 d: d0:83 EAP State update of login authentication for mobile 98:03:d8:7 d: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:37.493 Mar 20: 98:03:d8:7 d: d0:83 dot1x - moving d mobile 98:03:d8:7: d0:83 by authenticating the State

    * Dot1x_NW_MsgTask_3: 18:30:37.493 Mar 20: 98:03:d8:7 d: d0:83 State entering Backend Auth response for d 98:03:d8:7 mobile: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:37.551 Mar 20: 98:03:d8:7 d: d0:83 treatment Access-Challenge for mobile 98:03:d8:7 d: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:37.551 Mar 20: 98:03:d8:7 d: d0:83 State entering Backend Auth Req (id = 220) for d 98:03:d8:7 mobile: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:37.551 Mar 20: 98:03:d8:7 d: d0:83 WARNING: Update 2 EAP-identifier ===> 220 for STA 98:03:d8:7 d: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:37.551 Mar 20: 98:03:d8:7 d: d0:83 send EAP request of AAA to d mobile 98:03:d8:7: d0:83 (EAP Id 220)

    * Dot1x_NW_MsgTask_3: 18:30:37.566 Mar 20: 98:03:d8:7 d: d0:83 EAPPKT EAPOL received from mobile 98:03:d8:7 d: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:37.566 Mar 20: 98:03:d8:7 d: d0:83 response EAP received from mobile 98:03:d8:7 d: d0:83 (220 Id EAP, EAP Type 3)

    * Dot1x_NW_MsgTask_3: 18:30:37.566 Mar 20: 98:03:d8:7 d: d0:83 State entering Backend Auth response for d 98:03:d8:7 mobile: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:37.627 Mar 20: 98:03:d8:7 d: d0:83 treatment Access-Challenge for mobile 98:03:d8:7 d: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:37.627 Mar 20: 98:03:d8:7 d: d0:83 State entering Backend Auth Req (id = 221) for d 98:03:d8:7 mobile: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:37.627 Mar 20: 98:03:d8:7 d: d0:83 send EAP request of AAA to d mobile 98:03:d8:7: d0:83 (EAP Id 221)

    * Dot1x_NW_MsgTask_3: 18:30:37.643 Mar 20: 98:03:d8:7 d: d0:83 EAPPKT EAPOL received from mobile 98:03:d8:7 d: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:37.643 Mar 20: 98:03:d8:7 d: d0:83 response EAP received from mobile 98:03:d8:7 d: d0:83 (221 Id EAP, EAP Type 25)

    * Dot1x_NW_MsgTask_3: 18:30:37.643 Mar 20: 98:03:d8:7 d: d0:83 State entering Backend Auth response for d 98:03:d8:7 mobile: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:37.701 Mar 20: 98:03:d8:7 d: d0:83 treatment Access-Challenge for mobile 98:03:d8:7 d: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:37.701 Mar 20: 98:03:d8:7 d: d0:83 State entering Backend Auth Req (id = 222) for d 98:03:d8:7 mobile: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:37.701 Mar 20: 98:03:d8:7 d: d0:83 send EAP request of AAA to d mobile 98:03:d8:7: d0:83 (EAP Id 222)

    * Dot1x_NW_MsgTask_3: 18:30:37.723 Mar 20: 98:03:d8:7 d: d0:83 EAPPKT EAPOL received from mobile 98:03:d8:7 d: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:37.723 Mar 20: 98:03:d8:7 d: d0:83 response EAP received from mobile 98:03:d8:7 d: d0:83 (222 Id EAP, EAP Type 25)

    * Dot1x_NW_MsgTask_3: 18:30:37.723 Mar 20: 98:03:d8:7 d: d0:83 State entering Backend Auth response for d 98:03:d8:7 mobile: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:37.782 Mar 20: 98:03:d8:7 d: d0:83 treatment Access-Challenge for mobile 98:03:d8:7 d: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:37.782 Mar 20: 98:03:d8:7 d: d0:83 State entering Backend Auth Req (id = 223) for d 98:03:d8:7 mobile: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:37.782 Mar 20: 98:03:d8:7 d: d0:83 send EAP request of AAA to d mobile 98:03:d8:7: d0:83 (EAP Id 223)

    * Dot1x_NW_MsgTask_3: 18:30:37.809 Mar 20: 98:03:d8:7 d: d0:83 EAPPKT EAPOL received from mobile 98:03:d8:7 d: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:37.809 Mar 20: 98:03:d8:7 d: d0:83 response EAP received from mobile 98:03:d8:7 d: d0:83 (223 Id EAP, EAP Type 25)

    * Dot1x_NW_MsgTask_3: 18:30:37.809 Mar 20: 98:03:d8:7 d: d0:83 State entering Backend Auth response for d 98:03:d8:7 mobile: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:37.892 Mar 20: 98:03:d8:7 d: d0:83 treatment Access-Challenge for mobile 98:03:d8:7 d: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:37.892 Mar 20: 98:03:d8:7 d: d0:83 State entering Backend Auth Req (id = 224) for d 98:03:d8:7 mobile: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:37.892 Mar 20: 98:03:d8:7 d: d0:83 send EAP request of AAA to d mobile 98:03:d8:7: d0:83 (EAP Id 224)

    * Dot1x_NW_MsgTask_3: 18:30:37.903 Mar 20: 98:03:d8:7 d: d0:83 EAPPKT EAPOL received from mobile 98:03:d8:7 d: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:37.903 Mar 20: 98:03:d8:7 d: d0:83 response EAP received from mobile 98:03:d8:7 d: d0:83 (224 Id EAP, EAP Type 25)

    * Dot1x_NW_MsgTask_3: 18:30:37.903 Mar 20: 98:03:d8:7 d: d0:83 State entering Backend Auth response for d 98:03:d8:7 mobile: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:37.959 Mar 20: 98:03:d8:7 d: d0:83 treatment Access-Challenge for mobile 98:03:d8:7 d: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:37.959 Mar 20: 98:03:d8:7 d: d0:83 State entering Backend Auth Req (id = 225) for d 98:03:d8:7 mobile: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:37.959 Mar 20: 98:03:d8:7 d: d0:83 send EAP request of AAA to d mobile 98:03:d8:7: d0:83 (EAP Id 225)

    * Dot1x_NW_MsgTask_3: 18:30:37.976 Mar 20: 98:03:d8:7 d: d0:83 EAPPKT EAPOL received from mobile 98:03:d8:7 d: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:37.976 Mar 20: 98:03:d8:7 d: d0:83 response EAP received from mobile 98:03:d8:7 d: d0:83 (225 Id EAP, EAP Type 25)

    * Dot1x_NW_MsgTask_3: 18:30:37.976 Mar 20: 98:03:d8:7 d: d0:83 State entering Backend Auth response for d 98:03:d8:7 mobile: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:38.051 Mar 20: 98:03:d8:7 d: d0:83 treatment Access-Challenge for mobile 98:03:d8:7 d: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:38.051 Mar 20: 98:03:d8:7 d: d0:83 State entering Backend Auth Req (id = 226) d 98:03:d8:7 mobile: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:38.051 Mar 20: 98:03:d8:7 d: d0:83 send EAP request of AAA to d mobile 98:03:d8:7: d0:83 (EAP Id 226)

    * Dot1x_NW_MsgTask_3: 18:30:38.059 Mar 20: 98:03:d8:7 d: d0:83 EAPPKT EAPOL received from mobile 98:03:d8:7 d: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:38.059 Mar 20: 98:03:d8:7 d: d0:83 response EAP received from mobile 98:03:d8:7 d: d0:83 (226 Id EAP, EAP Type 25)

    * Dot1x_NW_MsgTask_3: 18:30:38.059 Mar 20: 98:03:d8:7 d: d0:83 State entering Backend Auth response for d 98:03:d8:7 mobile: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:38.116 Mar 20: 98:03:d8:7 d: d0:83 treatment Access-Challenge for mobile 98:03:d8:7 d: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:38.116 Mar 20: 98:03:d8:7 d: d0:83 State entering Backend Auth Req (id = 227) for d 98:03:d8:7 mobile: d0:83

    * Dot1x_NW_MsgTask_3: 18:30:38.116 Mar 20: 98:03:d8:7 d: d0:83 send EAP request of AAA to d mobile 98:03:d8:7: d0:83 (EAP Id 227)

    Please help me solve this problem

    Make sure that policies of login GBA allowing a user for several sessions as well.

    Rating of useful answers is more useful to say "thank you".

  • The AAA for PIX515E 6.3 rules (5)

    Hello. If I wanted to configure the PIX for the authentication of an ACS server (for the purpose of management of PIX), what else would need apart from what follows:

    AAA-server Admin-FW Protocol Ganymede +.

    AAA-Server Admin-FW max-failed-attempts 3

    AAA-Server Admin-FW deadtime 10

    !

    AAA-Server Admin-FW (inside) host 192.168.2.9 access timeout 10

    !

    console series FW-Admin-AAA authentication

    Console telnet authentication AAA Admin-FW

    authentication AAA ssh console Admin-FW

    As far as I KNOW, I did not specify which IP addresses can someone telnet from to connect on the PIX. I tried the following, but I do not know I did not provide the correct instructions:

    the AAA authentication include telnet inside 192.168.0.0 255.255.0.0 Admin-FW

    ... and I have a username / password to invite him on the PIX but it keeps asking for a user name and password. I know my account GANYMEDE is good because I can connect on the routers with the same details as what I use to authenticate on the PIX.

    I also ran a debugging on the PIX when I was trying to authenticate. The output is attached.

    Thank you

    Timothy

    Hi Tim,.

    There is no need to order,

    the AAA authentication include telnet inside 192.168.0.0 255.255.0.0 Admin-FW

    Try it now and see if you get hits on ACS. Incase it is not working, pls get again him debugs.

    Thank you

    Jagdeep

  • Confusion of the AAA

    In the AAA configuration guide, it says you must apply the method of access to lines and interfaces, but if I use the aaa authentication login apparently apply the authentication method for all methods of login anyway?

    Is it because I'm using a default method list?, and I only need to apply the method defined lists of interfaces or lines? but as I don't have the default value is used.

    When we use by default it is applied to all lines. If there is no list of methods defined on the default interface will not take effect.

    Kind regards

    ~ JG

  • AAA authentication question

    Here is the config, I have a switch:

    AAA authentication login default group Ganymede + local

    AAA authentication login vtylogin group Ganymede + local

    AAA authentication login conlogin group Ganymede + activate none

    the AAA authentication enable default Ganymede + activate

    Now, here are my questions:

    1. when I have my login of Ganymede console connection works, but when I type 'enable' and try to use my password to Active Directory, it does not work.  So I try the enable password, don't worry.  However if I change the 4th line "aaa authentication enable the Activate by default", I can now by using the enable password.

    2. my second question is when I SSH into the switch, I want only that it uses the RADIUS server and use only the database local when the Ganymede is not available.  However while Ganymede is available, I am still able to login using the local user account.  I guess that's by design?  Is there a way to prevent this if it isn't design?

    When you use the local user account to connect to the device, can you check if you can see the log in "past the authentication attempt" on the box of the CSA? If so, the same account could you please check your local ACS DB user to see that it was created by a fake?

  • AAA authentication problemssss

    Hello

    When I use commands below aaa and attempt to authenticate, I am able to authenticate with GANYMEDE +, but further then when I do "sh run" I get message "command failed authorization." Please notify.

    Test-Switch #sh run

    Authorization of command failed.

    AAA new-model
    AAA authentication login NETWORK_ACCESS group Ganymede + local activate
    the AAA authentication enable default group Ganymede + activate

    AAA authorization exec default group Ganymede + authenticated if
    default 15 AAA authorization commands group Ganymede + none

    AAA accounting exec default start-stop Ganymede group.
    orders accounting AAA 15 by default start-stop Ganymede group.

    the String key of the host IP radius-server

    line vty 0 4
    transport input telnet ssh
    authentication of the connection NETWORK_ACCESS
    exec-timeout 10

    BUT as soon I just changed the aaa as configuration below I'm able to run sh run commands as usual without any error.

    AAA new-model

    AAA authentication login default group Ganymede + local

    AAA authentication login no_tacacs local

    activate the default AAA authentication no

    AAA authentication login default group Ganymede + line

    AAA authentication login no_tacacs line

    authorization AAA console

    AAA authorization exec default group Ganymede + local authenticated by FIS

    AAA authorization exec default group Ganymede + authenticated if

    AAA authorization exec local no_tacacs authenticated by FIS

    AAA authorization commands 0 no_tacacs no

    AAA authorization commands 1 no_tacacs no

    AAA authorization commands 15 no_tacacs no

    AAA accounting exec default start-stop Ganymede group.

    orders accounting AAA 15 by default start-stop Ganymede group.

    orders accounting AAA 0 arrhythmic default group Ganymede +.

    AAA - the id of the joint session

    Please advise, thank you. its urgent

    To approach the issue from a slightly different angle - your original set of commands instruct the router to send the application for leave to GANYMEDE for each command to level 15, which includes see the race. Your GANYMEDE server was not configured to allow your use to see the race and if your attempt to show performance was rejected.

    Your revised set of orders doesn't send application to GANYMEDE for level 15 commands (or other classes of orders by the way) and so there is no question here to see the race.

    As far as I can say that your revised set of orders do not permit for orders. You can achieve this result just as easily (and with fewer complications in your configuration) If you delete just aaa authorization command from your config lines.

    HTH

    Rick

  • AAA authentication sequence

    We have following commands configured on the 2950

    AAA new-model

    AAA authentication login default local radius group

    the AAA authentication enable default

    RADIUS group AAA authorization exec default authenticated if

    localuser username secret 5 *.

    When you try to access the switch it's mark to the RADIUS server, but it is not authenticated.

    And then he gets authenticated with the local user name.

    Here is the log of the RADIUS server

    It shows the correct user name and correct the source of the switch IP address.

    Authentication provider = Windows

    Authentication server =

    Policy-Name =

    Authentication type PAP =

    EAP-Type =

    Code motif = 16

    Reason = authentication was not successful because an unknown user or bad password name has been used.

    In principle it was expected that as long as the switch is able to connect to the RADIUS server, it will not use the local username for authentication.

    But the switch uses the local username even if he can contact the RADIUS service.

    Please share the experience.

    Thank you

    Subodh

    Hello

    Indeed, I've recreated the issue when authenticating against a RAQ. My switch is running a newer version, however, it always reports the error of decryption on newspapers when the shared secret is incorrect. Shared secret configured as "cisco" on the switch and as "cisco123" relating to the registration of the IAS RADIUS client. Got the following text:

    Priv15 of the user has been denied access.

    Fully-qualified-user name = CAMEJIA\priv15

    NAS-IP-Address = x.x.250.12

    NAS-identify =

    Station called = identifier

    Calling-Station-identifier =

    Client-Friendly-Name = x.x.250.12

    Client-IP-Address = x.x.250.12

    NAS-Port-Type = Async

    NAS-Port =

    Proxy-policy-Name = use Windows authentication for all users

    Authentication provider = Windows

    Authentication server =

    Policy-Name =

    Authentication type PAP =

    EAP-Type =

    Code motif = 16

    Reason = authentication was not successful because an unknown user or bad password name has been used.

    On the debugging switch:

    * 06:02:13.600 Mar 2: RADIUS: receipt id 1645/6 x.x.250.20:1645, Access-Reject, len 20

    * 06:02:13.600 Mar 2: RADIUS: 24 84 60 FA B8 43 3rd A9 authenticator - AC 55 72 70 CE 34 BA 70

    * 06:02:13.600 Mar 2: RADIUS: authenticator response decrypt fault, len 20 pak

    * 06:02:13.600 Mar 2: RADIUS: package dump: 03060014248460FAB8433EA9AC557270CE34BA70

    * 06:02:13.600 Mar 2: RADIUS: digest expected: D22363698E8862015AC91213B540D77C

    * 06:02:13.600 Mar 2: RADIUS: authentic response: 248460FAB8433EA9AC557270CE34BA70

    * 06:02:13.600 Mar 2: RADIUS: ask authentic: 32B4A229A7EB982A61EB31E29A24AA47

    * 06:02:13.600 Mar 2: RADIUS: response (6) could not decipher

    Please, create a new RADIUS client for the switch only and use a single key as "cisco" on both sides. Do not forget that we should not hit the space bar when you configure the key on the IOS since it will space as a valid shared key figure.

    I hope this helps.

    Kind regards.

  • Test command of the AAA for EAP - TLS authentication for wireless users

    Hi all

    Can anyone suggest me the test command to verify the eap - tls authentication for the Cisco WAP's wireless.

    If it's an authetication jump we can use the command to test the connection below

    Radius of group aaa Testwap-01 #test [email protected] / * / o4 & yJ) NoL$ new-code %0
    Trying to authenticate with the server radius group
    User successfully authenticated

    But eap - tls is not delivered with the password. He insists that for the user name.

    We strive for remote location then test remotely before production.

    If someone help pls in that if we have a command to test or debug command to test this authentication.

    EAP - TLS requires a client certificate. How can you have a simple command that analysis without loading any certificate on the router/switch? It does not exist. This is why eap - tls is not considered an easy to deploy eap method: because it can go wrong on several levels.

    The aaa command test performs a PAP authentication, therefore, it tests the connectivity of the base RADIUS and name of user and password.

    If it works, the only thing that can break for eap - tls are certificates, as well as the radius server will be able to tell if something worng.

Maybe you are looking for