With Ganymede ACS authentication problem

Similar Questions

• Problem with GANYMEDE + (ACS) and cat 2950

  I have configured the 2950 as below and properly configured ACS and I can connect to the 2950 using this configuration, the problem lies after that I go to enable and try any command, I get approval to next error command failed.

  What I missed out the config that will allow me to execute commands?

  AAA new-model

  AAA authentication login default group Ganymede + local

  AAA authorization exec default group Ganymede + local authenticated by FIS

  AAA authorization commands 15 default group Ganymede + authenticated if

  AAA authorization network default group Ganymede + local authenticated by FIS

  AAA accounting exec default start-stop Ganymede group.

  orders accounting AAA 15 by default start-stop Ganymede group.

  AAA accounting network default start-stop Ganymede group.

  GANYMEDE server host ***. ***

  radius-server key 7 *.

  Thanks in advance.

  Jon

  Hi Jon,

  AAA of the switch seems ok, maybe you need to take a look at your ACS.

  Check the following information, where you have to apply it in your ACS config:

  http://www.Cisco.com/en/us/products/sw/secursw/ps5338/products_configuration_guide_chapter09186a00801fd6fc.html#wp676529

  Rgds,

  AK

• GANYMEDE + SSH authentication problem Fo ASA

  Dear Sir

  I managed an ASA 5540 assets/failover pair. SSH authentication is performed via GANYMEDE + ACS located 4.2 in the same VLAN as the inside interface of the firewall. I have added two firewalls on the ACS using their inside as the interface IP addresses (using addresses active and reserve). I can succesfully authenticate and connect to the ASA assets without any problem. But on the SAA on hold, I get SSH prompt but I couldn't connect. When I see the log of failed attempts under GBA, I noticed that "Unknown SIN" for the ASA. How can I solve this problem?

  Best regards

  Abebe Amare

  Engineer network, VivaCell

  Hi Abebe,

  On the ASA high school, please check the following:

  SH failover---> and make sure that the secondary image is waiting ready and not missed.

  HS-Server aaa---> check the output and see if the ASA marked the radius server under the name 'UP' and the exchange of packets.

  Activate the following debugs and perform an authentication test as shown:

  Debug aaa authentication

  debugging Ganymede

  Debug ssh

  aaa-server host username authentication test "insert name of" passes "insert a password."

  Provide me with him debugs after taking on your username in it so that I can analyze.

  See you soon,.

  Christian V

• Offering personalized with GANYMEDE + (ACS 5.4) - NX - OS RBAC limited access

  Hello

  I created the RBAC personalized depending on NX - OS.

  Role: Limited_Admin

  11 denies config t command. mgmt interface 0

  10 permit command read

  9 permit config t command. interface *; *

  8 allow the copy running-config startup-config command

  7 permits ping command *.

  6 allow the traceroute command *.

  I created a profile Shell with the following attributes that place the user in the role of Limited_Admin and that mapped to the rule of authorization policy.

  Cicso-av-pair attribute

  Mandatory requirement

  Shell: roles of value = "Limited_Admin".

  When I connect with the Test account - I get mapped to the custom role as shown below but I have priv 15.

  user: testrbac

  roles: Limited_Admin

  account created through the REMOTE authentication

  Credentials such as ssh server key will be cached only temporarily for this user account

  Local login is not possible

  Any help is greatly appreciated. I had this working perfectly on the 4.2. but unable to make the rules work at 5.4.

  Configuration of the AAA Nexus:

  radius-server key *.

  source-interface IP Ganymede mgmt0

  RADIUS-server host x.x.x.x

  AAA group Ganymede Server + ACS SERVERS

  Server x.x.x.x

  the vrf use management

  AAA group Ganymede Server + ACS SERVERS

  AAA authentication login default group ACS-SERVERS

  AAA authentication local console connection

  Default accounting AAA group ACS-SERVERS

  AAA authentication login error-enable

  I saw it and that's what I wanted to see and use it as a syntax/format on nx under role

  ike this
  Role: Limited_Admin
  11      deny    command                         configure terminal ; interface mgmt0
  

  However I think you tried and confirmed that it didn't ' work so I started to think it might be a bug in the Os. Glad it works for you.

  Jousset
  * Note help messages *.

  Sent by Cisco Support technique Android app

• 5.6 ACS authentication problem

  We are in the process of upgrading our ACS 4.1 for a 5.6 ACS appliance.

  The unit is installed on the network, etc. correctly licensed.

  I joined the ACS server to the AD domain without problem. I created a few local and external (AD) users for testing.

  I created a network (switch catalyst) as a Ganymede client device + and specified single-connect.

  When I SSH into the switch, I can connect using my AD user name and password, but I can't go into enable mode. It says "authentication failure".

  My aaa settings are

  radius-server host 172.25.50.8
  RADIUS-server timeout 3
  RADIUS-server application made
  radius-server key

  Miss me something somewhere, I don't know where. If I try and download the bundle to support ACS, it says download, but does not say where (or how).

  any advice would be great. I'm new to this product.

  See the document: http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-6/migration/guide/migration_guide/Migration_support.html#pgfId-1014889

• Problem with Cisco ACS and different areas

  Hello

  We are conducting currently a problem with Cisco ACS that we put in place, and I'll try to describe:

  We have ACS related directory AD areas, where we have 2 domains and appropriate group mappings.

  Then we have our Cisco switches with the following configuration,

  AAA new-model

  AAA-authentication failure message ^ CCCC

  Failled to authenticate!

  Please IT networks Contact Group for more information.

  ^ C

  AAA authentication login default group Ganymede + local

  AAA authorization exec default group Ganymede + local

  AAA authorization network default group Ganymede + local

  AAA accounting exec default start-stop Ganymede group.

  orders accounting AAA 15 by default start-stop Ganymede group.

  !

  AAA - the id of the joint session

  But the problem is that with the users in a domain, we can authenticate, but not the other. Basically, the question is that when we check on the past of authentication, two authentications are passage and the display of 'Authentic OK', but on the side of the switch, there is a power failure.

  There may be something wrong with the ACS?

  Thank you

  Jorge

  Try increasing the timeout on IOS device using radius-server timeout 10.

  Do we not have journaling enabled on the ACS server remotely?

  -Philou

• 4.2 of the ACS and EAP - TLS with AD and prefix problem

  Hello

  We have the following situation:

  -2 X ACS (ACS SE 4.2 1 x and 1 x 4.2 ACS) for domain

  -2 x ACS (ACS SE 4.2 1 x and 1 x 4.2 ACS) for domain b.

  First of all, there is a problem to have an ACS SE and a CBS work together for an area, I do not? When we haven't had that one area and the two SE ACS were responsible for domain A, it worked.

  Now after the changes, authentication of machine with EAP - TLS is no longer in effect. In the newspapers, it always says that "external user DB is unknown" for a username (machine) as host/abc.domain.ch

  This is the normal output of the Remote Agent, he finds the host but then nothing happens:

  CSWinAgent 2009-11-30 16:32:13 0140 3672 0x0 customer who connects from x.x.x.x:2443
  CSWinAgent 2009-11-30 16:32:14 0507 3512 0x0 CPP: NT_DSAuthoriseUser received
  CSWinAgent 2009-11-30 16:32:14 0474 3512 0x0 NTLIB: Creating Domain cache
  CSWinAgent 2009-11-30 16:32:14 0549 3512 0x0 NTLIB: domain Cache loading
  CSWinAgent 2009-11-30 16:32:14 0646 NTLIB 3512 0x0: none of the trusted domains found
  CSWinAgent 2009-11-30 16:32:14 0735 3512 0x0 NTLIB: cache loaded field
  CSWinAgent 2009-11-30 16:32:14 2355 3512 0x0 NTLIB: user "host/abc.domain.ch" found [FIELD]
  CSWinAgent 2009-11-30 16:32:14 0584 0 x 3512 0 RPC: NT_DSAuthoriseUser response sent

  So I did a test of the ASA to see if the host is a problem (until changes have been made it was not a problem):

  AAA authentication RADIUS host 10.3.1.9 username host/abc.domain.ch to test (the ASA becomes the host / entry for the correct Windows scheme with the $):

  CSWinAgent 2009-11-30 15:39:23 0140 3672 0x0 customer who connects from x.x.x.x:1509
  CSWinAgent 2009-11-30 15:39:23 0390 0 x 3728 0 RPC: NT_MSCHAPAuthenticateUser received
  CSWinAgent 2009-11-30 15:39:23 0474 3728 0x0 NTLIB: Creating Domain cache
  CSWinAgent 2009-11-30 15:39:23 0549 3728 0x0 NTLIB: domain Cache loading
  CSWinAgent 2009-11-30 15:39:23 0646 NTLIB 3728 0x0: none of the trusted domains found
  CSWinAgent 2009-11-30 15:39:23 0735 3728 0x0 NTLIB: cache loaded field
  CSWinAgent 2009-11-30 15:39:23 1762 3728 0x0 NTLIB: had WorkStation CISCO
  CSWinAgent 2009-11-30 15:39:23 1763 3728 0x0 NTLIB: Windows authentication attempts for user ABC$
  CSWinAgent 2009-11-30 15:39:23 1815 3728 0x0 NTLIB: Windows authentication FAILED (Error 1326 L)
  CSWinAgent 2009-11-30 15:39:23 0373 3728 0x0 NTLIB: retry authentication to the domain
  CSWinAgent 2009-11-30 15:39:23 0549 3728 0x0 NTLIB: domain Cache loading
  CSWinAgent 2009-11-30 15:39:23 1762 3728 0x0 NTLIB: had WorkStation CISCO
  CSWinAgent 2009-11-30 15:39:23 1763 3728 0x0 NTLIB: Windows authentication attempts for user ABC$
  CSWinAgent 2009-11-30 15:39:23 1815 3728 0x0 NTLIB: Windows authentication FAILED (Error 1326 L)
  CSWinAgent 2009-11-30 15:39:23 0456 0 x 3728 0 RPC: NT_MSCHAPAuthenticateUser response sent

  It is clear that the test failed because of the bad 'past to a computer' but it's a different output as before. I saw that in ACS 4.1, you can change the prefix of send_break_action for nothing, but in 4.2 it is no longer possible.

  This could be the problem, or if someone sees no other problem?

  Best regards

  Dominic

  Hello

  I encounter the same problem with my acs. I have all of the attempts failed for the default group. For the default group made configuration is not available. Is - this thereason behind all this?

• WLC (foreign-anchor), problem with external web authentication-> ISE

  Hello guys

  I am designing a platform for a network of comments, which must be isolated from the LAN, the following facilities:

  • ISE 1.2 (SNS-3415-K9 Cisco)
  • WLC 7.0.230.0 (Cisco 5508 controller)---> foreign wlc
  • WLC 7.0.230.0 (Cisco 5508 controller)---> wlc anchor.

  The PAES tunnel between wlc is successfully completed.

  The wireless client gets the IP address of the anchor wlc (DHCP server).

  Test 1:

  I have set up the ANCHOR WLC with local web authentication (internal), the wireless client is authenticated by WLC and successfully navigate.

  Test 2:

  Configure the authentication web external anchor (ISE) WLC. Configure a user to the portal comments ISE.

  The wireless client gets the IP address of the anchor wlc (DHCP server), attempting to engage not display comments portal.

  Debugging a wireless client, try to connect to the guest network is attached.

  That's right... they have a version of code required minimum supported for this.

  Thank you

  Scott

  Help others using the system of rating and marking answers questions like "answered."

• Nexus, authorization to order with GANYMEDE.

  Hello.

  Can anyone provide an example of configuration to use Cisco Secure ACS 4.2 to enable permission to order with GANYMEDE.

  Thank you.

  Kind regards.

  Andrea

  Hello Andrea,

  We moved to GBA 5.3 now - but we had our 5520 Nexus running against our old 4.2 ACS before this - so I chose the relevant bits of the config below:

  username admin password network-admin role; user local administrator

  feature Ganymede +; turn on Ganymede

  radius-server host key; set the key for RADIUS server
  AAA server Ganymede group + Ganymede; create the group called "Ganymede".
  Server; set the IP address of the RADIUS server
  the vrf use management; tell him to use the default 'management' vrf to send queries for Ganymede
  source-interface mgmt0;... .and send mgmt interface

  AAA authentication login default group Ganymede; Use Ganymede for auth login
  AAA authentication login console Group Ganymede; Use Ganymede for auth login console
  AAA authorization config-commands by default local group Ganymede; use Ganymede for permission to config command
  AAA authorization by default Ganymede local group orders; use Ganymede for normal control authorization
  Default accounting AAA group Ganymede; Send documents to Ganymede

  I hope that works for you!

  (This may change a bit, when you move to ACS 5.x - that we chose not to do complex auth command (using only shell profiles) to remedy this you go back as a nexus for the 5 k - and it makes the command auth (operator network vs network-admin) based on the one - if you just do not configure authorization to order aaa on the 5 k)

  Rob...

• Authentication problem when you try to connect

  I have a Linksys router. Connected WN2000RPT as described in the instructions of Netgear. Everything went through the lights very well, good, EXT appears on the scan available networks, etc. Tried to connect a Smart TV Vizio and burn TV Amazon tablet Asus. All 3 devices show... EXT with a strong signal. However, each device does not, connect with an error message 'Authentication problem' or simply 'cannot connect."

  My router is connected using personal safety ' WPA2/WPA mixed. " When you configure the wifi extender, I said to use the same SSID and the security that the router setting. Online reading on the settings available on the WN2000 and decided that the problem was perhaps a "lag" in the security implementation because WN2000 is not the same as available router setting. Do you have a factory reset on extension and returned to through the procedure, only not selected use the same level of security as a router, but manually selected WPA/PSK (AES) for the Extender. Same exact error of my devices as before.

  I thought that maybe by using the security settings of the router it was to spoil the Extender because they do not have the same settings available. But perhaps using different parameters (when the Extender receives the signal from the router, but perhaps on a "pass-through" only basis?) problems as well?

  So, can someone tell me if there is a way to get my devices to connect to the Extender, or this is always going to be a problem because the router has a security setting, and if I manually set the security OR say scope to use the same security settings, it will not work because the two units are not compatible? I'm doing something wrong? Any ideas? Thank you!

  Hello RealisticDave

  Did you have a different SSID on the router and not the same as routers SSID?

  DarrenM

• Yoga of 1050F WiFi authentication problem 2

  Hello

  I am a new Member and just upgraded to 5 android. Seems a big mistake because it is unable to connect to the internet (no problem with android 4) says authentication problem. Tried cancellation and re - enter password, router turning on and off power and factory reset. Nothing. If Lenovo come with a repair how will I be able to get into the Tablet when I have no internet connection. For the moment, I have a tablet which is equally useful as a tile. Help

  Hello

  Just disable IPV6 in your Inbox, because Lollipop use IPV6 (default) and some box are not entirely compatible.

• IDS with Ganymede

  Are IDS 4215 compatable sensors with Ganymede? I see nothing in the csm, guides the user ID itself which would lead me to believe it was, but I wanted to just make sure with the group.

  Thank you.

  IDS/IPS from now devices do not support external authentication using AAA servers. The only way that users can be authenticated so is using the local database on the IDS/IPS device.

  I hope this helps.

  Kind regards

  Maryse.

• The ACS authentication

  We have ACS running without any problem. We have a special VLAN to a public kiosk that clients can use to surf the internet. The kiosk is wireless and is configured for automatic connection with a specific account. The access point uses the vlan 1 and vlan 40 terminal wireless. When the kiosk machine authenticates to ACS running on our domain controller (who resides on the vlan 10)-is the kiosk machine communicates with the domain controller or the kiosk machine communicates with the access point, which, in turn, communicates with the ACS server? I would like to block 40 access vlan in the vlan 10 but if the kiosk machine must communicate with the domain controller, I don't think I can. Any help is appreciated. Thank you.

  Unreliable kiosk machine only communicates with the AP. The AP will send credentials on the ACS server, which in turn, will try to authenticate them on the Windows domain controller.

• Ganymede ACS 5.4 asr 9001 authorization

  Hello

  If anyone can help with Ganymede attributes users authoriezed on cisco asr 9001 (ios/xr)

  Thank you

  Yoram

  You should know the command you are trying to emit belogns to which task.

  Then you know that the task is mentioned according to which task group.

  Visit this link to know how to perform the above:

  https://supportforums.Cisco.com/docs/doc-15944

  Then, you must configure the GANYMEDE server + to return the attribute that puts the task under the privilege of the user:

  See here: http://goo.gl/7YP5zu

  I use the following command on the ACS server in the config of user group (we have version 4.2):

  task = #cisco - support, rwx:admin, #root - system

  This will be the user inherit the read, write and execute access to the 'admin' task and will put the user in the local (locally defined on the router) 'cisco-support' and 'root-system' users groups.

  NOTE: we did two things at the top. inherits access to the task AND put the user in the context of local groups selected. I don't know if it can be used without the other.

  HTH

  Amjad

  Rating of useful answers is more useful to say "thank you".

• AS with GANYMEDE + question

  Try to get the module ACE and IOS devices to work with GANYMEDE. I have GBA v3.2.

  The "optional" syntax does not work. No idea if the argument is valid for the version of the CSA?

  Service = exec

  Optional shell: Admin = domain Admin

  I tried it with quotes, but which didn't work either.

  Hello

  This is a doc of reference for the configuration of the ACE for authentication Ganymede +,.

  http://www.Cisco.com/en/us/docs/interfaces_modules/services_modules/ACE/v3.0

  0_A1/configuration/Security/Guide/AAA.html#wp1321891

  Under the custom for attribute Ganymede + we need to specify the attribute in the form,

  Shell: Admin * ADMIN MYDOMAIN1

  = means mandatory attribute

  * Optional means

  Information on the context/role/domain (virtualization on ACE):

  http://www.Cisco.com/en/us/docs/interfaces_modules/services_modules/ACE/v3.0

  0_A1/configuration/virtualization/guide/ovrview.html

  Default 'role' on ACE:

  http://www.Cisco.com/en/us/docs/interfaces_modules/services_modules/ACE/v3.0

  0_A1/configuration/virtualization/guide/ovrview.html#wp1051297

  HTH

  JK

  Please evaluate the useful messages-