With Ganymede ACS authentication problem
My organization was using ACS with AD to authenticate users for access to network devices.
But lately, it does not work. There has been no known changes.
Can anyone help point the possible problems or links to see how the actual configuration of the CSA to be or look like for that to work.
My apologies if this is naïve question, am not not so easy with ACS.
Thank you!
Hello
There are two ways to correct the message 'windows dialin permission required. You can either add permissions to call on the user accounts on your database of Windows, or you can remove the option "Require Dialin permissions" ACS. To do this, go to "External user databases" and select "Database Configuration". Then go in your database of Windows and click "configure". The first option is a
box that gives you the opportunity to "make sure that grant dialin permission is checked.
Checking this box will cause the error you get if your windows users do not have permissions to call. If you uncheck this box, it must clarify this.
HTH
JK
Tags: Cisco Security
Similar Questions
-
Problem with GANYMEDE + (ACS) and cat 2950
I have configured the 2950 as below and properly configured ACS and I can connect to the 2950 using this configuration, the problem lies after that I go to enable and try any command, I get approval to next error command failed.
What I missed out the config that will allow me to execute commands?
AAA new-model
AAA authentication login default group Ganymede + local
AAA authorization exec default group Ganymede + local authenticated by FIS
AAA authorization commands 15 default group Ganymede + authenticated if
AAA authorization network default group Ganymede + local authenticated by FIS
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
AAA accounting network default start-stop Ganymede group.
GANYMEDE server host ***. ***
radius-server key 7 *.
Thanks in advance.
Jon
Hi Jon,
AAA of the switch seems ok, maybe you need to take a look at your ACS.
Check the following information, where you have to apply it in your ACS config:
Rgds,
AK
-
GANYMEDE + SSH authentication problem Fo ASA
Dear Sir
I managed an ASA 5540 assets/failover pair. SSH authentication is performed via GANYMEDE + ACS located 4.2 in the same VLAN as the inside interface of the firewall. I have added two firewalls on the ACS using their inside as the interface IP addresses (using addresses active and reserve). I can succesfully authenticate and connect to the ASA assets without any problem. But on the SAA on hold, I get SSH prompt but I couldn't connect. When I see the log of failed attempts under GBA, I noticed that "Unknown SIN" for the ASA. How can I solve this problem?
Best regards
Abebe Amare
Engineer network, VivaCell
Hi Abebe,
On the ASA high school, please check the following:
SH failover---> and make sure that the secondary image is waiting ready and not missed.
HS-Server aaa---> check the output and see if the ASA marked the radius server under the name 'UP' and the exchange of packets.
Activate the following debugs and perform an authentication test as shown:
Debug aaa authentication
debugging Ganymede
Debug ssh
aaa-server host username authentication test "insert name of" passes "insert a password."
Provide me with him debugs after taking on your username in it so that I can analyze.
See you soon,.
Christian V
-
Offering personalized with GANYMEDE + (ACS 5.4) - NX - OS RBAC limited access
Hello
I created the RBAC personalized depending on NX - OS.
Role: Limited_Admin
11 denies config t command. mgmt interface 0
10 permit command read
9 permit config t command. interface *; *
8 allow the copy running-config startup-config command
7 permits ping command *.
6 allow the traceroute command *.
I created a profile Shell with the following attributes that place the user in the role of Limited_Admin and that mapped to the rule of authorization policy.
Cicso-av-pair attribute
Mandatory requirement
Shell: roles of value = "Limited_Admin".
When I connect with the Test account - I get mapped to the custom role as shown below but I have priv 15.
user: testrbac
roles: Limited_Admin
account created through the REMOTE authentication
Credentials such as ssh server key will be cached only temporarily for this user account
Local login is not possible
Any help is greatly appreciated. I had this working perfectly on the 4.2. but unable to make the rules work at 5.4.
Configuration of the AAA Nexus:
radius-server key *.
source-interface IP Ganymede mgmt0
RADIUS-server host x.x.x.x
AAA group Ganymede Server + ACS SERVERS
Server x.x.x.x
the vrf use management
AAA group Ganymede Server + ACS SERVERS
AAA authentication login default group ACS-SERVERS
AAA authentication local console connection
Default accounting AAA group ACS-SERVERS
AAA authentication login error-enable
I saw it and that's what I wanted to see and use it as a syntax/format on nx under role
ike this
Role: Limited_Admin
11 deny command configure terminal ; interface mgmt0
However I think you tried and confirmed that it didn't ' work so I started to think it might be a bug in the Os. Glad it works for you.
Jousset
* Note help messages *.Sent by Cisco Support technique Android app
-
5.6 ACS authentication problem
We are in the process of upgrading our ACS 4.1 for a 5.6 ACS appliance.
The unit is installed on the network, etc. correctly licensed.
I joined the ACS server to the AD domain without problem. I created a few local and external (AD) users for testing.
I created a network (switch catalyst) as a Ganymede client device + and specified single-connect.
When I SSH into the switch, I can connect using my AD user name and password, but I can't go into enable mode. It says "authentication failure".
My aaa settings are
radius-server host 172.25.50.8
RADIUS-server timeout 3
RADIUS-server application made
radius-server keyMiss me something somewhere, I don't know where. If I try and download the bundle to support ACS, it says download, but does not say where (or how).
any advice would be great. I'm new to this product.
See the document: http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-6/migration/guide/migration_guide/Migration_support.html#pgfId-1014889
-
Problem with Cisco ACS and different areas
Hello
We are conducting currently a problem with Cisco ACS that we put in place, and I'll try to describe:
We have ACS related directory AD areas, where we have 2 domains and appropriate group mappings.
Then we have our Cisco switches with the following configuration,
AAA new-model
AAA-authentication failure message ^ CCCC
Failled to authenticate!
Please IT networks Contact Group for more information.
^ C
AAA authentication login default group Ganymede + local
AAA authorization exec default group Ganymede + local
AAA authorization network default group Ganymede + local
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
!
AAA - the id of the joint session
But the problem is that with the users in a domain, we can authenticate, but not the other. Basically, the question is that when we check on the past of authentication, two authentications are passage and the display of 'Authentic OK', but on the side of the switch, there is a power failure.
There may be something wrong with the ACS?
Thank you
Jorge
Try increasing the timeout on IOS device using radius-server timeout 10.
Do we not have journaling enabled on the ACS server remotely?
-Philou
-
4.2 of the ACS and EAP - TLS with AD and prefix problem
Hello
We have the following situation:
-2 X ACS (ACS SE 4.2 1 x and 1 x 4.2 ACS) for domain
-2 x ACS (ACS SE 4.2 1 x and 1 x 4.2 ACS) for domain b.
First of all, there is a problem to have an ACS SE and a CBS work together for an area, I do not? When we haven't had that one area and the two SE ACS were responsible for domain A, it worked.
Now after the changes, authentication of machine with EAP - TLS is no longer in effect. In the newspapers, it always says that "external user DB is unknown" for a username (machine) as host/abc.domain.ch
This is the normal output of the Remote Agent, he finds the host but then nothing happens:
CSWinAgent 2009-11-30 16:32:13 0140 3672 0x0 customer who connects from x.x.x.x:2443
CSWinAgent 2009-11-30 16:32:14 0507 3512 0x0 CPP: NT_DSAuthoriseUser received
CSWinAgent 2009-11-30 16:32:14 0474 3512 0x0 NTLIB: Creating Domain cache
CSWinAgent 2009-11-30 16:32:14 0549 3512 0x0 NTLIB: domain Cache loading
CSWinAgent 2009-11-30 16:32:14 0646 NTLIB 3512 0x0: none of the trusted domains found
CSWinAgent 2009-11-30 16:32:14 0735 3512 0x0 NTLIB: cache loaded field
CSWinAgent 2009-11-30 16:32:14 2355 3512 0x0 NTLIB: user "host/abc.domain.ch" found [FIELD]
CSWinAgent 2009-11-30 16:32:14 0584 0 x 3512 0 RPC: NT_DSAuthoriseUser response sentSo I did a test of the ASA to see if the host is a problem (until changes have been made it was not a problem):
AAA authentication RADIUS host 10.3.1.9 username host/abc.domain.ch to test (the ASA becomes the host / entry for the correct Windows scheme with the $):
CSWinAgent 2009-11-30 15:39:23 0140 3672 0x0 customer who connects from x.x.x.x:1509
CSWinAgent 2009-11-30 15:39:23 0390 0 x 3728 0 RPC: NT_MSCHAPAuthenticateUser received
CSWinAgent 2009-11-30 15:39:23 0474 3728 0x0 NTLIB: Creating Domain cache
CSWinAgent 2009-11-30 15:39:23 0549 3728 0x0 NTLIB: domain Cache loading
CSWinAgent 2009-11-30 15:39:23 0646 NTLIB 3728 0x0: none of the trusted domains found
CSWinAgent 2009-11-30 15:39:23 0735 3728 0x0 NTLIB: cache loaded field
CSWinAgent 2009-11-30 15:39:23 1762 3728 0x0 NTLIB: had WorkStation CISCO
CSWinAgent 2009-11-30 15:39:23 1763 3728 0x0 NTLIB: Windows authentication attempts for user ABC$
CSWinAgent 2009-11-30 15:39:23 1815 3728 0x0 NTLIB: Windows authentication FAILED (Error 1326 L)
CSWinAgent 2009-11-30 15:39:23 0373 3728 0x0 NTLIB: retry authentication to the domain
CSWinAgent 2009-11-30 15:39:23 0549 3728 0x0 NTLIB: domain Cache loading
CSWinAgent 2009-11-30 15:39:23 1762 3728 0x0 NTLIB: had WorkStation CISCO
CSWinAgent 2009-11-30 15:39:23 1763 3728 0x0 NTLIB: Windows authentication attempts for user ABC$
CSWinAgent 2009-11-30 15:39:23 1815 3728 0x0 NTLIB: Windows authentication FAILED (Error 1326 L)
CSWinAgent 2009-11-30 15:39:23 0456 0 x 3728 0 RPC: NT_MSCHAPAuthenticateUser response sentIt is clear that the test failed because of the bad 'past to a computer' but it's a different output as before. I saw that in ACS 4.1, you can change the prefix of send_break_action for nothing, but in 4.2 it is no longer possible.
This could be the problem, or if someone sees no other problem?
Best regards
Dominic
Hello
I encounter the same problem with my acs. I have all of the attempts failed for the default group. For the default group made configuration is not available. Is - this thereason behind all this?
-
WLC (foreign-anchor), problem with external web authentication->; ISE
Hello guys
I am designing a platform for a network of comments, which must be isolated from the LAN, the following facilities:
- ISE 1.2 (SNS-3415-K9 Cisco)
- WLC 7.0.230.0 (Cisco 5508 controller)---> foreign wlc
- WLC 7.0.230.0 (Cisco 5508 controller)---> wlc anchor.
The PAES tunnel between wlc is successfully completed.
The wireless client gets the IP address of the anchor wlc (DHCP server).
Test 1:
I have set up the ANCHOR WLC with local web authentication (internal), the wireless client is authenticated by WLC and successfully navigate.
Test 2:
Configure the authentication web external anchor (ISE) WLC. Configure a user to the portal comments ISE.
The wireless client gets the IP address of the anchor wlc (DHCP server), attempting to engage not display comments portal.
Debugging a wireless client, try to connect to the guest network is attached.
That's right... they have a version of code required minimum supported for this.
Thank you
Scott
Help others using the system of rating and marking answers questions like "answered."
-
Nexus, authorization to order with GANYMEDE.
Hello.
Can anyone provide an example of configuration to use Cisco Secure ACS 4.2 to enable permission to order with GANYMEDE.
Thank you.
Kind regards.
Andrea
Hello Andrea,
We moved to GBA 5.3 now - but we had our 5520 Nexus running against our old 4.2 ACS before this - so I chose the relevant bits of the config below:
username admin password network-admin role; user local administrator
feature Ganymede +; turn on Ganymede
radius-server host key; set the key for RADIUS server
AAA server Ganymede group + Ganymede; create the group called "Ganymede".
Server; set the IP address of the RADIUS server
the vrf use management; tell him to use the default 'management' vrf to send queries for Ganymede
source-interface mgmt0;... .and send mgmt interfaceAAA authentication login default group Ganymede; Use Ganymede for auth login
AAA authentication login console Group Ganymede; Use Ganymede for auth login console
AAA authorization config-commands by default local group Ganymede; use Ganymede for permission to config command
AAA authorization by default Ganymede local group orders; use Ganymede for normal control authorization
Default accounting AAA group Ganymede; Send documents to GanymedeI hope that works for you!
(This may change a bit, when you move to ACS 5.x - that we chose not to do complex auth command (using only shell profiles) to remedy this you go back as a nexus for the 5 k - and it makes the command auth (operator network vs network-admin) based on the one - if you just do not configure authorization to order aaa on the 5 k)
Rob...
-
Authentication problem when you try to connect
I have a Linksys router. Connected WN2000RPT as described in the instructions of Netgear. Everything went through the lights very well, good, EXT appears on the scan available networks, etc. Tried to connect a Smart TV Vizio and burn TV Amazon tablet Asus. All 3 devices show... EXT with a strong signal. However, each device does not, connect with an error message 'Authentication problem' or simply 'cannot connect."
My router is connected using personal safety ' WPA2/WPA mixed. " When you configure the wifi extender, I said to use the same SSID and the security that the router setting. Online reading on the settings available on the WN2000 and decided that the problem was perhaps a "lag" in the security implementation because WN2000 is not the same as available router setting. Do you have a factory reset on extension and returned to through the procedure, only not selected use the same level of security as a router, but manually selected WPA/PSK (AES) for the Extender. Same exact error of my devices as before.
I thought that maybe by using the security settings of the router it was to spoil the Extender because they do not have the same settings available. But perhaps using different parameters (when the Extender receives the signal from the router, but perhaps on a "pass-through" only basis?) problems as well?
So, can someone tell me if there is a way to get my devices to connect to the Extender, or this is always going to be a problem because the router has a security setting, and if I manually set the security OR say scope to use the same security settings, it will not work because the two units are not compatible? I'm doing something wrong? Any ideas? Thank you!
Hello RealisticDave
Did you have a different SSID on the router and not the same as routers SSID?
DarrenM
-
Yoga of 1050F WiFi authentication problem 2
Hello
I am a new Member and just upgraded to 5 android. Seems a big mistake because it is unable to connect to the internet (no problem with android 4) says authentication problem. Tried cancellation and re - enter password, router turning on and off power and factory reset. Nothing. If Lenovo come with a repair how will I be able to get into the Tablet when I have no internet connection. For the moment, I have a tablet which is equally useful as a tile. Help
Hello
Just disable IPV6 in your Inbox, because Lollipop use IPV6 (default) and some box are not entirely compatible.
-
Are IDS 4215 compatable sensors with Ganymede? I see nothing in the csm, guides the user ID itself which would lead me to believe it was, but I wanted to just make sure with the group.
Thank you.
IDS/IPS from now devices do not support external authentication using AAA servers. The only way that users can be authenticated so is using the local database on the IDS/IPS device.
I hope this helps.
Kind regards
Maryse.
-
We have ACS running without any problem. We have a special VLAN to a public kiosk that clients can use to surf the internet. The kiosk is wireless and is configured for automatic connection with a specific account. The access point uses the vlan 1 and vlan 40 terminal wireless. When the kiosk machine authenticates to ACS running on our domain controller (who resides on the vlan 10)-is the kiosk machine communicates with the domain controller or the kiosk machine communicates with the access point, which, in turn, communicates with the ACS server? I would like to block 40 access vlan in the vlan 10 but if the kiosk machine must communicate with the domain controller, I don't think I can. Any help is appreciated. Thank you.
Unreliable kiosk machine only communicates with the AP. The AP will send credentials on the ACS server, which in turn, will try to authenticate them on the Windows domain controller.
-
Ganymede ACS 5.4 asr 9001 authorization
Hello
If anyone can help with Ganymede attributes users authoriezed on cisco asr 9001 (ios/xr)
Thank you
Yoram
You should know the command you are trying to emit belogns to which task.
Then you know that the task is mentioned according to which task group.
Visit this link to know how to perform the above:
https://supportforums.Cisco.com/docs/doc-15944
Then, you must configure the GANYMEDE server + to return the attribute that puts the task under the privilege of the user:
See here: http://goo.gl/7YP5zu
I use the following command on the ACS server in the config of user group (we have version 4.2):
task = #cisco - support, rwx:admin, #root - system
This will be the user inherit the read, write and execute access to the 'admin' task and will put the user in the local (locally defined on the router) 'cisco-support' and 'root-system' users groups.
NOTE: we did two things at the top. inherits access to the task AND put the user in the context of local groups selected. I don't know if it can be used without the other.
HTH
Amjad
Rating of useful answers is more useful to say "thank you".
-
AS with GANYMEDE + question
Try to get the module ACE and IOS devices to work with GANYMEDE. I have GBA v3.2.
The "optional" syntax does not work. No idea if the argument is valid for the version of the CSA?
Service = exec
Optional shell: Admin = domain Admin
I tried it with quotes, but which didn't work either.
Hello
This is a doc of reference for the configuration of the ACE for authentication Ganymede +,.
http://www.Cisco.com/en/us/docs/interfaces_modules/services_modules/ACE/v3.0
0_A1/configuration/Security/Guide/AAA.html#wp1321891
Under the custom for attribute Ganymede + we need to specify the attribute in the form,
Shell: Admin * ADMIN MYDOMAIN1
= means mandatory attribute
* Optional means
Information on the context/role/domain (virtualization on ACE):
http://www.Cisco.com/en/us/docs/interfaces_modules/services_modules/ACE/v3.0
0_A1/configuration/virtualization/guide/ovrview.html
Default 'role' on ACE:
http://www.Cisco.com/en/us/docs/interfaces_modules/services_modules/ACE/v3.0
0_A1/configuration/virtualization/guide/ovrview.html#wp1051297
HTH
JK
Please evaluate the useful messages-
Maybe you are looking for
-
How to save a chart for a specific length of time
Dear all, I use a sensor of magnetic field on a mine detector. Let's say the minedetector scans the area for 10 sec. I need your help on the following (1) how to back up the chart of waveform for the sec ten integer. All I know is that I came across
-
Security updates fail (KB2655992 KB2691442 KB2698365 KB2719985)
I received four security updates this week and all fail to install: KB2655992 KB2691442 KB2698365 KB2719985 I am running Windows XP SP3
-
I broke my xp pro cd I have proof of ownership in photos
My 7 year old child stepped on my windows xp pro cd and broke it. I took several pictures with me holding the disc broke and the tag keys and detail that I can send them. I just need a new disk sent to me please, no key toh just full installation dis
-
After that I deleted a playlist, they still appear on my Fuze
The "rocket" is in MSC mode, I use .m3u playlists and playlists that I deleted (am entered and removed the .m3u file) are always shown as empty playlists on my screen of playlist on the "rocket". is it possible to fix this?
-
Can't get titles and Internet sites in proportion. Too wide
Suddenly, websites and titles of tabs is extended and out of proportion. It is not the zoom. Cannot understand it. Tried to restore but it did not help. Could someone please tell me what to do? Thank you