2960X 15.02(EX5) %AAA-3-ACCT_LOW_MEM_UID_FAIL:AAA unable to create UID for incoming calls due to insufficient processor memory.
Deployed four 2960X switches in a stack. All okay for about one month then tried to web browse for the first time via firefox which partially displayed the page. I assumed this was a browser error. So tried Chrome then IE which both failed. Chrome was a bad display and IE fails to connect.
After this, I could not telnet or ssh. Plugged into the console and immediately started receiving:
%AAA-3-ACCT_LOW_MEM_UID_FAIL: AAA unable to create UID for incoming calls due to insufficient processor memory
%% Low on memory; try again later
I am unable to log in. I have a TAC case logged but the first step to try is a reboot which will be difficult until I can get a maintenance window. When I do get a maintenance window, I would also like to deploy a fix such as a different version of code or a work-around cofig command. I don't mind disabling HTTP.
Any suggestions?
I am currently working with TAC
The switches failed about 18 hours later and had to be rebooted to get back up. Now that I have console/telnet access, I can see the memory being depleted mostly by the Auth Manager process at about the same rate as free memory is dropping.
SW13#sho proc mem sort | i Auth Manager
191 0 177721332 95004616 34757416 0 0 Auth Manager
SW13#sho proc mem sort | i Auth Manager
191 0 177754888 95025696 34759780 0 0 Auth Manager
SW13#sho proc mem sort | i Auth Manager
191 0 177774316 95037928 34761056 0 0 Auth Manager
SW13#sho proc mem sort | i Auth Manager
191 0 177799720 95053940 34762888 0 0 Auth Manager
SW13#sho proc mem sort | i Auth Manager
191 0 177824976 95069732 34764696 0 0 Auth Manager
SW13#
SW13#
SW13#sho proc mem sort | i Processor
Processor Pool Total: 442796836 Used: 103448576 Free: 339348260
SW13#sho proc mem sort | i Processor
Processor Pool Total: 442796836 Used: 103454416 Free: 339342420
SW13#sho proc mem sort | i Processor
Processor Pool Total: 442796836 Used: 103455860 Free: 339340976
SW13#sho proc mem sort | i Processor
Processor Pool Total: 442796836 Used: 103459236 Free: 339337600
SW13#sho proc mem sort | i Processor
Processor Pool Total: 442796836 Used: 103461040 Free: 339335796
Similar Messages
-
Aaa-reports! enterprise v1.2 - audit solutions for Cisco Secure ACS
Extraxi is pleased to announce the latest version of its flagship reporting package - aaa-reports! enterprise v1.2
The next release of aaa-reports! enterprise has just been made - mainly concentrating on new reports and datasets including:
Single TACACS+ command authorisations. Shows both permitted and denied commands by combining log entries from Failed Attempts and T+ Device Administration logs
RADIUS and TACACS session reports. These provide single row per session with all relevant data.
RADIUS identity networking reports. The dataset used by the RADIUS session report is key for auditing identity network environments allowing for a username to be tied to a client side MAC address/IP Address or telephone number, assigned IP address etc. Using the point and click query builder its possible to create deployment-centric reports with multi-level grouping, sorting, filtering plus calculated fields using flexible Visual Basic syntax and full function library
Stability and bug fixes
Updated installers
aaa-reports! enterprise v1.2 is a free upgrade for existing customers with a current support contract.
Visit www.extraxi.com for full product details and a 60 day fully working trial.
To see how aaa-reports! can help you meet your ACS audit requirements please take a look at this earlier post.bump
-
ACS AAA and LOCAL AAA database...
Hello,
We have implimented an 5520 device and configured it for ACS successfully. I want to also have a local database with a few accounts in the event our ACS server went down. I am having trouble finding documentation for the syntax I need to enter on this 5520 device configuration so I can have redundacy for AAA...can some help with this? TIA, GaryHi ,
Check this example
aaa-server SERVER protocol tacacs+
aaa-server SERVER host 1.1.1.1
key $har3dK3y
This command applies the server group to the vty or
console lines:
==========
aaa authentication ssh console SERVER LOCAL <---
For SSH sessions
aaa authentication serial console SERVER LOCAL
<--- For console access
Hope that helps
Regards,
JG~
Please rate helpful posts -
AAA problems Nexus 7000 %AUTHPRIV-3-SYSTEM_MSG: Unable to create temporary user
Hi,
I'm having problems getting our Nexus 7000 to authenticate users from our Windows domain. If I set up a user within the ACS server and use the CiscoSecure database for password authentication it works fine.
In the logs on the nexus I receive the following messages when logging on using my windows account.
%AUTHPRIV-3-SYSTEM_MSG: Unable to create temporary user 16894. Error 0x404a0036 - login[20923]
%AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user 16894 from 10.128.45.44 - login[20923]
We can log on to all other Cisco OS devices using windows domain accounts, its just the Nexus.
Any help much appreciated.
Thanks
DarrenNo errors the autnetication on the ACS is showing as passed. The problem is I get an access denied message from the nexus switch,
-
C3750 Unable to ssh after few days!
Hi all,
If anyone could help me please, I'm having a problem with my switch, it seems that I'm losing the ablity to ssh to the switch after few days but if I reload it I can ssh into it again with no problem! At first I thought it was something wrong with my configuration so I've reconfugred the ssh, username, domain name and cleaned the rsa keys and regenrated new new ones.
My switch version is:
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9NPE-M), Version 15.0(1)SE3, RELEASE SOFTWARE (fc1)Thank you guys for the reply,
This is what I get when I try to ssh:
ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
And Leo Laohoo, you guessed it right! it's look like a memory leaks, this is the output for "sh log":
*Mar 5 17:19:57.579: %AAA-3-ACCT_LOW_MEM_UID_FAIL: AAA unable to create UID for incoming calls due to insufficient processor memory
*Mar 5 17:19:58.385: %AAA-3-ACCT_LOW_MEM_UID_FAIL: AAA unable to create UID for incoming calls due to insufficient processor memory
*Mar 5 17:19:59.005: %AAA-3-ACCT_LOW_MEM_UID_FAIL: AAA unable to create UID for incoming calls due to insufficient processor memory
*Mar 6 23:22:38.979: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:!exec: enable
cs08#
Do you guys think of any work around other than down/upgrade the software? cuase the biggest issue now is, it's one of 9 switches that all run the same ISO version and all of them are on new production data center, and honestly I've had other weird issue with other switches too! -
How to survive an ACS audit with aaa-reports!
For many organisations the Cisco Secure ACS server is the guardian of the network - controlling administrative access to routers and switches plus overseeing end network users over VPN, wireless and firewall.
Its no surprise therefore that it should come under intense scrutiny during an audit. Perhaps what is surprising is the lack on awareness over best practice for running ACS in a secure way. We'd like to help in our small way and below is a list of tips we've picked up over the years of providing reporting services for ACS.
Buy aaa-reports! Of course we would say that... But without the ability to aggregate the logs from all your ACS servers and report on the data, or use our query builder for forensic analysis, or import the ACS database to document the policy features enabled.... you'll have a hard time getting the evidence that an auditor might ask for.
Make sure ACS is logging the appropriate attributes for the reports you need to create. For example if you need to document who did what to devices in specific Network Device Groups (NDG) you must ensure this value actually gets logged. Performing ACS upgrades often sets logging configs back to their defaults.
Create a build specification for your ACS. Detail the "meta config" of your ACS so that after an emergency hardware swap-out or software upgrade you can quickly check that the ACS has the correct configuration. The build spec document should be under version control and is a useful item in itself to convince an auditor your system is well controlled.
Create a Change Control system for config changes on the ACS. Since its ACS that decides who gets access and what commands they run on your network its vital you report on the Administration Audit logs. During an audit you can then correlate entries in your change control system with actual edits recorded in the Admin Audit logs. aaa-reports! can document what all or individual ACS admins did in detail.
Retain 2 years of actual CSV log data on your reporting server. For general day-to-day reporting you dont need this amount, but during an audit you may be required to show what happened on a specific historic date. aaa-reports! multi-db feature will allow you to create a specific back-end database just for this task and import logs from the required time period. Alternatively use the aaa-reports! snapshot feature to regularly save its database state, for example quarterly. You may then connect aaa-reports! to any of the historic snapshot databases to report on the data from that quarter.
Regularly export the ACS database into aaa-reports! If you are running reports against log data from 2 years ago you also need to know what was in the ACS database at the same time - using a more recent ACS database might yield unexpected results because the configuration is likely to changed in the meantime. Usecsvsync to regularly grab the ACS database and keep them alongside the retained CSV logs for future reference.
Review the quality of ACS log data. From time to time its worth taking a look at the quality of the data getting logged. We often find customers with rogue scripts being automated on devices that cause the ACS Failed Attempts logs to become full of many MBs of "junk data" - essentially one failed attempt for each line of the script. If left to continue for months the real data starts to become more difficult to find.
In terms of specific questions that an audit will concentrate on, typically it will revolve around demonstrating that not only is there specific and adequate policy to control access to those parts of the network require it, but also to seek evidence that those policies are in fact working. In aaa-reports! we added a whole set of reports for TACACS+ Device Administration (TDA) that attempt to document the ACS policy configuration, answer questions such as "who can/cannot access devices and once connected what can they do?" and finally report on what did actually happen.
Below are some additional TDA specific tips:
Ensure services such as shell/exec are only enabled for ACS groups that really need it. The aaa-reports! TDA Group Summary report will list every ACS group and what TDA features are enabled. The TDA Group Detailreport can be used to inspect the policy in detail.
Check for user-level ovverides. In general users should always inherit policy from their group unless there is good reason. The aaa-reports! TDA User Summary report list users with group overriden configuration. The TDA User Detail report can be used to inspect what policy items are specific to the user.
Use Network Access Restrictions (NAR) to prevent login by unauthorised personnel. The first line of defence is to only allow device admin users access to routers and switches. We find some customers rely purely on command authorisation - this potentially lets anyone access the device who can authenticate. Imagine the scenario where ACS has "unknown authentication" enabled pointing at your Windows AD then answer "Who has access?". aaa-reports! can report group-by-group on device access controlled by NARs and therefore answer "Who has access to device XYZ?"
Use Device Command Sets (DCS) for command authorisation. Create a set of re-usable DCSs with meaningful names in preference to simple group-level command authorisations. ACS administration is simplified and the auditor should understand what the intent of the policy is by its name. aaa-reports! can document the both the content of each DCS and the group assignments, thereby answering the question "What commands can user X execute on device XYZ?"
Seek out and remove old ACS user accounts. aaa-reports! can report on inactive users both from examination of accounting logs and (if password aging is enabled) from the imported ACS database itself.
Learn how to use the aaa-reports! Query Builder. Despite the comprehensive set of pre-built canned reports, during an audit you are likely to be asked questions about a specific date, user or device. Knowing how to use the QB to build filter/sort and group/totalling queries will get the answers quickly. Take the random question "How many sessions did user X have on devices A, B and C on this date?" The aaa-reports! QB can easily create custom reports that filter on any number of attribute values, group by multiple columns and have calculated fields such as sum, count, average etc. If you have a working knowledge of Visual Basic 6 (VB6) its also possible to use a rich array of formatting and other VB6 functions to create additional fields.
The above list is of course by no means definitive as every customer will have their own specific needs from ACS and face different levels of compliance. Undergoing an audit is never easy, but at least with the right tools it doesnt have to be awful!
For more infomation on extraxi aaa-reports! or to download our free 60 day trial version please visit http://www.extraxi.com/audit.htm.
-
How to use 2 AAA server for different login purpose
Hello, could you help me?
This is a part of my configuration; I would like to add another TACACS server, witch should take care of the telnet at vty 0 4.
The Tacacs server 10.20.30.40 takes care of the virtual access, and I have another Tacacs server who takes care of login on our network equipment.
! Cisco 7204 with system flash c7200-io3s56i-mz.121-4.bin
aaa new-model
aaa authentication login default group tacacs+
aaa authentication login no_tacacs enable
aaa authentication ppp default group tacacs+
aaa authorization exec default group tacacs+
aaa authorization network default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
virtual-profile virtual-template 1
virtual-profile aaa
interface Serial2/0:15
description ISDN30
no ip address
encapsulation ppp
no ip route-cache
no keepalive
dialer pool-member 10
isdn switch-type primary-net5
isdn tei-negotiation first-call
isdn caller xxxxxxx
no fair-queue
compress stac
no cdp enable
ppp authentication chap
ppp multilink
interface Virtual-Template1
ip unnumbered FastEthernet1/0
ip nat outside
ppp authentication chap
tacacs-server host 10.20.30.40 key ********
line con 0
exec-timeout 20 0
password ************
login authentication no_tacacs
transport input none
flowcontrol hardware
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 60 0
password *************
login authentication no_tacacs
transport input telnet
transport output telnet
If I just add
aaa authentication login vtymethod group tacacs+ enable
tacacs-server host 10.50.60.70 key ********
line vty 0 4
login authentication vtymethod
My telnet request ask 10.20.30.40 and I have a deny! Could you help to make a secure solution?
ThanksJens
I believe that your solution would be to configure a different tacacs server group with the new server in the new group and to use the new group to authenticate for your vty. The config might look something like this:
aaa group server tacacs+ vty_TAC
server 10.50.60.70
aaa authentication login vtymethod group vty_TAC enable
tacacs-server host 10.50.60.70 key ********
I have configured this type of thing and it worked well. When I configured it I explicitly configured (and named) two different TACACS server groups and referenced specific server groups for each authentication method. I am not clear whether it works to keep the default group tacacs+ and use it for your normal authentication or whether you may need to configure a non-default group for it.
Give it a try and let us know what happens.
HTH
Rick -
I've setup the TACACS server with two groups
-FULL admin rights
-READ only rights
Two users have been created
-admin_test
-read_test
The admin_test config works fine on AAA but i keep getting stuck with read_test configs. I can never get to enable mode eventhough i've defined it on the group policy. Is there something wrong with my aaa statements below?
aaa authentication login default group tacacs+ line enable
aaa authentication enable default group tacacs+ enable line
aaa authorization exec default if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+Privilege is not scalable in a big environment.
What you need is authorization on the ACS
server. In Cisco Freeware TACACS+ I defined
the following groups: readonly, advanced and
admin:
group = readonly {
default service = deny
cmd = show { deny .* }
cmd = show { permit .* }
cmd = copy { permit .* }
cmd = ping { permit .* }
cmd = enable { permit .* }
cmd = configure { deny .* }
cmd = disable { permit .* }
cmd = telnet { permit .* }
cmd = disconnect { permit .* }
cmd = where { permit .* }
cmd = set { permit .* }
cmd = clear { permit line }
cmd = exit { permit .* }
cmd = debug { permit .* }
group = advanced {
default service = deny
cmd = show { permit .* }
cmd = copy { permit flash }
cmd = copy { permit running }
cmd = ping { permit .* }
cmd = configure { permit .* }
cmd = enable { permit .* }
cmd = disable { permit .* }
cmd = telnet { permit .* }
cmd = disconnect { permit .* }
cmd = where { permit .* }
cmd = set { permit .* }
cmd = clear { permit line }
cmd = exit { permit .* }
cmd = interface { permit .* }
group = admin {
default service = permit
As you can see, admin can access everything,
readonly can only read. Advanced can make
limited changes and admin can do everything.
On the Cisco router, I have the following
configuration:
aaa authentication login notac none
aaa authentication login VTY group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec notac none
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 0 VTY start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting network VTY start-stop group tacacs+
aaa accounting connection VTY start-stop group tacacs+
I find that by doing it this way, it is much
more scalable than using privilege commands
on the router itself.
David
CCIE Security -
ISE - AAA radius authentication for NAD access
Hi ,
I have configured the switches to use the ISE as the Radius server to authenticate with , on the ISE i've configured an authentication policy
for the "NADs" using the "Wired Devices" group which points to the AD indentity source to authenticate against .
While testing the login access to the switches we've come up with 2 results :
1.A domain user can indeed login to the switch as intended.
2.Every domain user which exists in the AD indentity source can login , this is an undesired result .
So I am trying to search for a way to restrict access to the NADs to only a particular group belonging to the AD , for example the group/ou
of the IT_department only .
I haven't been successfull , would appreciate any ideas on how to accomplish this .
Switch configurations :
=================
aaa new-model
aaa authentication login default group radius local
ISE Authentication policy
==================
Policy Name : NADs Authentication
Condition: "DEVICE:Device Type Equals :All Device Types#Wired"
Allowed Protocol : Default Network Access
use identity source : AD1Thank you for the quick replys , and now ok , I've configured the following authorization policy :
Rule Name : Nad Auth
Conditions
if: Any
AND : AD1:ExternalGroups EQUALS IT_Departments
Permissions , then PermitAccess
What I don't understand is that it needs to match an "identity group" which can be either "Endpoint Identity group" or "Users Identity group" , I am limited with the if statement and cannot chose the same device group a choose before .
How can i do that , i am thinking ahead an asking myself if in other cases a user might match this policy rule and can interfer ? -
Question about usage of aaa accounting commands
Hi everyone,
I have the problem that Cisco routers and switches do not send some accounting command
information to ACS.
Accounting commands do not send to ACS are "show log" and "show version".
Accounting commands send to ACS are "show runn", "conf t" and "debug"
The configuration of routers and switches is the following
aaa new-model
aaa authentication login default group tacacs+ line
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
tacacs-server host xxx.xxx.xxx.xxx key yyyy
I think the commands do not send to ACS are privilege level 1 command and the commands
send to ACS are privilege level 15 command.
So I need to additional aaa accounting command below to get routers and switches send level 1
command to ACS, because the "15" of "aaa accounting commands 15" does not include level 1
so need to configure "aaa accounting commands 1" for level 1 commands.
aaa accounting commands 1 default start-stop group tacacs+
Is my understanding correct ?
Your information would be greatly appreciated.
Best regards,Hi,
plese do this and the router will send
everything to the ACS server, except
whatever you are doing to the router in http:
aaa new-model
aaa authentication login notac none
aaa authentication login VTY group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec notac none
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 0 VTY start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting network VTY start-stop group tacacs+
aaa accounting connection VTY start-stop group tacacs+
aaa session-id common
ip http authentication aaa login-authentication VTY
ip http authentication aaa exec-authorization VTY
tacacs-server host 192.168.15.10 key 7 1446405858517C
tacacs-server directed-request
line con 0
exec-timeout 0 0
authorization exec notac
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
logging synchronous
login authentication notac
line aux 0
session-timeout 35791
exec-timeout 35791 23
authorization exec notac
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication notac
transport input all
line vty 0
exec-timeout 0 0
authorization commands 0 VTY
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication VTY
David
CCIE Security -
Role-Based CLI Views with AAA method
Hi,
I'm configuring Role-Based CLI Views on a router for limiting access to users.
My criteria:
- There should be a local user account on the router that has the view 'service' attached to it
- If the router is online and can reach the radius server, people in the correct group are assigned the view 'service'
My configuration:
aaa new-model
enable secret 1234
username service view service secret 1234
aaa group server radius my_radius
server-private 10.1.1.1 auth-port 1645 acct-port 1646 timeout 3 retransmit 2 key 0 1234
server-private 10.1.1.2 auth-port 1645 acct-port 1646 timeout 2 retransmit 1 key 0 1234
aaa authorization console
aaa authentication login mgmt group my_radius local
aaa authorization exec mgmt group my_radius local
line con 0
authorization exec mgmt
logging synchronous
login authentication mgmt
line vty 0 4
authorization exec mgmt
logging synchronous
login authentication mgmt
transport input ssh
The ERROR
Now I want to go configure the cli view 'service'...
# enable view
Password: 1234
*Jun 1 08:00:02.991: AAA/AUTHEN/VIEW (0000000D): Pick method list 'mgmt'
*Jun 1 08:00:02.991: RADIUS/ENCODE(0000000D): ask "Password: "
*Jun 1 08:00:02.991: RADIUS/ENCODE(0000000D): send packet; GET_PASSWORD
*Jun 1 08:00:21.011: RADIUS: Received from id 1645/13 10.1.1.1:1645, Access-Reject, len 20
The Questions
Why does the 'enable view' try to pick a method list when you have to supply the enable secret to access the root view?
Can you change this behaviour to always use the enable secret?
The TEMP Solution
If you're logged on to the router via telnet or SSH, the solution or workaround to this issue is:
aaa authentication login VIEW_CONFG local
line vty 0 4
login authentication VIEW_CONFG
Do your configuration of the view and re-configure the line to use the correct (wanted) method of authentication.
Thanks so much for the suggestions
/JZNhi,
You have the following configured:
aaa authentication login mgmt group my_radius local
aaa authorization exec mgmt group my_radius local
line con 0
authorization exec mgmt
logging synchronous
login authentication mgmt
line vty 0 4
authorization exec mgmt
logging synchronous
login authentication mgmt
transport input ssh
Hence every time you try to login to the console or try the ssh the authentication will head to the radius server because of the following command "login authentication mgmt".
You cannot make it locally. Whatever defined on the method list mgmt first will be taking the precedence.
enable seceret will be locally defined. but you have the following configured:
aaa authorization exec mgmt group my_radius local
line con 0
authorization exec mgmt
line vty 0 4
authorization exec mgmt
Hence exec mode will also be done via radius server.
when you configure:
aaa authentication login VIEW_CONFG local
line vty 0 4
login authentication VIEW_CONFG
You are making the authentication local, hence it is working the way you want.
In short, whatever authentication is defined 1st on the method list will take precendence. the fallback will be checked only if the 1st aaa server is not reachable.
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts. -
Match different AAA Groups per source IP
Dear Colleagues,
The issue that Im facing right now is the following:
I have an external device that run auto-commissioning on my router and doesn't support "username" loggin, only "password" when attempt to loggin through telnet in order to access and run the script. In addition I have AAA TACACs running on the same router so this device is unable mow to access to the router as the first loggin request is the "username". I can not change the telnet command executed by the external device, its doing a single telnet to the destination IP of my router so I discard any option like adding a TCP port dedicated for this external device access. To be clear, what is expecting to receive after execute the telnet is:
c:/> telnet 1.1.1.1
Trying 1.1.1.1...
Connected to 1.1.1.1.
Escape character is '^]'.
User Access Verification
Password:
To fix this issue my idea is try to configure two different AAA groups, one AAA_GROUP that request normal authentication to TACACs for all telnet session and one EXCEPTION with authentication "none" and exec "local". The configuration should be something like this:
aaa new-model
aaa group server tacacs+ AAA_GROUP
server-private A.B.C.D key 7 ###################
ip tacacs source-interface Loopback0
aaa authentication login default group AAA_GROUP local
aaa authentication login EXCEPTION none
aaa authentication enable default group AAA_GROUP enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group AAA_GROUP local
aaa authorization exec EXCEPTION local
aaa authorization commands 15 default group AAA_GROUP none
aaa accounting exec default start-stop group AAA_GROUP
aaa accounting commands 15 default stop-only group AAA_GROUP
aaa accounting connection default stop-only group AAA_GROUP
aaa accounting system default start-stop group AAA_GROUP
aaa session-id common
Then match in some way all telnet session with source IP of the external device with the group EXCEPTION and the rest with AAA_GROUP. Finally, configure only a "password" in the VTY lines so when the device attempt to loggin in the group EXCEPTION with no authentication and loggin local will be just requested to set the "password".
The main issue is do this AAA groups discrimination between AAA_GROUP and EXCEPTION lists per source IP of the host originating the telnet session to my router. Is that possible?
Thanks in advance for your support.Hi,
problem is in you config, both class are pointing to same VIP and PORT, so first class will be only HIT.
try this confgiuration
policy-map type loadbalance first-match NON_AUTHENT_PM
class NON_AUTHENT_CM --------for desired client source IP's
serverfarm PROXY_HTTP_SF
nat dynamic 6 vlan 1601 serverfarm primary
class class-default ------for rest of client IP's
serverfarm PROXY_HTTP_SF
nat dynamic 5 vlan 1601 serverfarm primary
and remove NAT from multi-match policy. use single class, so rest of config will be
serverfarm host PROXY_HTTP_SF
description Proxied Internet Connections
probe PROXY_HTTP_PROBE
fail-on-all
rserver ELFCPRXY1
inservice
rserver ELFCPRXY2
inservice
rserver ELFCPRXY3
inservice
class-map match-any NONAUTHENT_HTTP_VIP
3 match virtual-address 10.10.240.5 tcp eq 80
class-map type http loadbalance match-any NON_AUTHENT_CM
description Subnets from which Internet Authentication is not Required
3 match source-address 10.10.16.0 255.255.240.0
4 match source-address 10.10.32.0 255.255.240.0
5 match source-address 10.10.48.0 255.255.240.0
policy-map type loadbalance first-match NON_AUTHENT_PM
class NON_AUTHENT_CM
serverfarm PROXY_HTTP_SF
nat dynamic 6 vlan 1601 serverfarm primary
class class-default
serverfarm PROXY_HTTP_SF
nat dynamic 5 vlan 1601 serverfarm primary
policy-map multi-match LOAD_BAL
class NONAUTHENT_HTTP_VIP
loadbalance vip inservice
loadbalance policy NON_AUTHENT_PM
loadbalance vip icmp-reply
Hope this help -
ISE Could not locate Network Device or AAA Client
When authenticating using 802.1x and MAB, I recieve an authentication failure with the error 11007(Could not locate Network Device or AAA Client). The root cause that ISE spits back at me is "Could not find the network device or the AAA Client while accessing NAS by IP during authentication." I did pretty much everything by the book except instead of using a loopback interface I used a vlan with a defined ip address. Could this be causing the problem?
Here is the config of the port that I'm testing on:
interface GigabitEthernet1/0/9
switchport access vlan 9
switchport mode access
switchport voice vlan 8
ip access-group ACL-ALLOW in
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
authentication event fail action next-method
authentication event server dead action reinitialize vlan 4
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 10
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
endI can ping both the vlan and the endpoint from the ISE. As far as allowing ISE to speak snmp and RADIUS to the NAD, I have enabled it on the NAD config inside the ISE. I have also double checked the snmp and radius shared passwords.
I have gotten MAB authentication to work but I am still getting the same error for dot1x authentication. Here are some of the configs on the switch.
aaa new-model
aaa authentication dot1x default group radius
aaa authentication dot1x defualt group radius
aaa authentication dot1x group group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
aaa session-id common
ip radius source-interface TenGigabitEthernet1/0/1
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host 10.10.10.47 auth-port 1812 acct-port 1813 test username test key 7 097940581F5412162B464D
radius-server vsa send accounting
radius-server vsa send authentication
dot1x system-auth-control
authentication order dot1x mab
authentication priority dot1x mab
dot1x pae authenticator
dot1x timeout tx-period 10 -
Missing Tunnel-Client-Endpoint attribute in AAA accounting from 2821
I am trying to optimise the detailed accounting records for VPN client connections on our system
but have noticed I am not receiving Tunnel-Client-Endpoint (attribute 66) in tunnel start accounting records from the router.
The VPN functionality works fine, this is just an accounting issue.
All other accouting attributes I need are received fine (times, username, VPN Framed IP, NAS identifier).
The system details are:
VPN server : Cisco 2821 with IOS 12.4(11)XW3
Tunnel type: VPDN, PPTP, MPPE 128bit, MS-CHAPv2
Accouting RADIUS: Microsoft Windows Server 2008 R2 NPS
I have used the same setup many times previously on various 2801, 2811, and 2911 platfroms with no issue (across v12 and v15 IOS).
Sending attribute 66 "Tunnel-Client-Endpoint" appeared to be standard for any tunnel setup, no config was require to send it.
Does anyone know a reason why this fairly standard tunnel RADIUS attribute is not being sent to us from the router in this case?
Example debug of tunnel start accounting message, showing that attribute 66 is not included in info sent to accouting server:
Jun 25 2013 14:55:13.591 AEST: RADIUS/ENCODE(0000061A):Orig. component type = VPDN
Jun 25 2013 14:55:13.595 AEST: RADIUS(0000061A): Config NAS IP: 0.0.0.0
Jun 25 2013 14:55:13.595 AEST: RADIUS(0000061A): sending
Jun 25 2013 14:55:13.595 AEST: RADIUS/ENCODE: Best Local IP-Address 192.168.xxx.xxx for Radius-Server 192.168.xxx.xxx
Jun 25 2013 14:55:13.595 AEST: RADIUS(0000061A): Send Accounting-Request to 192.168.xxx.xxx:1646 id 1646/220, len 184
Jun 25 2013 14:55:13.595 AEST: RADIUS: authenticator D7 DD 05 D9 72 FC 72 9C - 02 E0 6A FD D1 AC DB 06
Jun 25 2013 14:55:13.595 AEST: RADIUS: Acct-Session-Id [44] 10 "00000642"
Jun 25 2013 14:55:13.595 AEST: RADIUS: Tunnel-Medium-Type [65] 6 00:IPv4 [1]
Jun 25 2013 14:55:13.595 AEST: RADIUS: Tunnel-Assignment-Id[82] 3 "1"
Jun 25 2013 14:55:13.595 AEST: RADIUS: Tunnel-Server-Auth-I[91] 14 "********"
Jun 25 2013 14:55:13.595 AEST: RADIUS: Acct-Tunnel-Connecti[68] 4 "44"
Jun 25 2013 14:55:13.595 AEST: RADIUS: Framed-Protocol [7] 6 PPP [1]
Jun 25 2013 14:55:13.595 AEST: RADIUS: Framed-IP-Address [8] 6 192.168.xxx.xxx
Jun 25 2013 14:55:13.595 AEST: RADIUS: User-Name [1] 10 "*********"
Jun 25 2013 14:55:13.595 AEST: RADIUS: Acct-Authentic [45] 6
Jun 25 2013 14:55:13.595 AEST: RADIUS: Acct-Status-Type [40] 6 Start [1]
Jun 25 2013 14:55:13.595 AEST: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Jun 25 2013 14:55:13.595 AEST: RADIUS: NAS-Port [5] 6 426
Jun 25 2013 14:55:13.595 AEST: RADIUS: NAS-Port-Id [87] 17 "Uniq-Sess-ID426"
Jun 25 2013 14:55:13.595 AEST: RADIUS: Class [25] 46
Jun 25 2013 14:55:13.595 AEST: RADIUS: 69 89 04 FA 00 00 01 37 00 01 02 00 C0 A8 AC 01 [i??????7????????]
Jun 25 2013 14:55:13.595 AEST: RADIUS: 00 00 00 00 00 00 00 00 00 00 00 00 01 CE 6E 22 [??????????????n"]
Jun 25 2013 14:55:13.595 AEST: RADIUS: 2F A7 37 14 00 00 00 00 00 00 00 29 [/?7????????)]
Jun 25 2013 14:55:13.595 AEST: RADIUS: Service-Type [6] 6 Framed [2]
Jun 25 2013 14:55:13.595 AEST: RADIUS: NAS-IP-Address [4] 6 192.168.xxx.xxx
Jun 25 2013 14:55:13.595 AEST: RADIUS: Acct-Delay-Time [41] 6 0
Jun 25 2013 14:55:13.691 AEST: RADIUS: Received from id 1646/220 192.168.xxx.xxx:1646, Accounting-response, len 20
Jun 25 2013 14:55:13.691 AEST: RADIUS: authenticator E8 EC 1C 30 D2 01 8E D8 - 15 10 09 5F 37 95 D4 25
Important config
aaa new-model
aaa authentication login default local group radius
aaa authentication ppp default local group radius
aaa authorization exec default local group radius
aaa authorization network default local group radius
aaa accounting delay-start
aaa accounting session-duration ntp-adjusted
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa session-id common
vpdn enable
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
interface Virtual-Template1
ip unnumbered Dialer1
ip nat inside
ip virtual-reassembly
peer default ip address pool VPN
no keepalive
ppp encrypt mppe 128
ppp authentication ms-chap-v2
ip local pool VPN 192.168.xxx.xxx 192.168.xxx.xxx
radius-server host 192.168.xxx.xxx auth-port 1645 acct-port 1646 key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxLarry,
1) Please set up enable authentication to get the actual user name,
aaa authentication enable console tacacs-auth LOCAL
On ACS user setup you need to set up tacacs+ enable password.
3) Since you have defined both server for authentication and accounting ie 219 and 218 it is sending accounting to 218, as it is also defined as accounting server and firewall it active.
Use only
aaa-server tacacs-auth (dept-outside) host 10.1.26.218 key tacacs-secret
aaa-server tacacs-acct (dept-outside) host 10.1.26.219 key tacacs-secret
Now auth should go to 218 and acc to 219.
Regards,
~JG
Do rate helpful posts -
Hi All,
Where do I configure primary AAA and secondary AAA at ISE?
According to deployments guide Fig 1-6. Dispersed Deployment
http://www.cisco.com/en/US/docs/security/ise/1.0/install_guide/ise10_deploy.pdf
If we are using AD.. then AAA solution is RODC?
Thanks,
JohnHello,
Yes you can also use Cisco Catalyst 3560 to configure AAA and RADIUS. You can configure MAB, DOt1X and CWA.
Please refer to below link which might help you.
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/sw8021x.html
Maybe you are looking for
-
Hp mini 210-1000 1041NR need factory reset
How do you do a factory rest on this netbook it doesn't have a cd Rom drive
-
Using standard workbooks & BA's
Hi Michael & Rod, I have built many reports on discoverer,but all those reports i built are custom made. Firstly i want to know is how can one see the standard business areas and workbooks and how could one use them according to their requirement.Whi
-
Address change based on userids in the billing document
Hi, we have billing document output, with the company code address, for eg.XYZ,10/11 and in the program there are few userid's which are hardcoded,whenever these users process the output it should give the address of other company code that is ABC,1/
-
Keywording with asterix doesn't work anymore in 2.4 ...
In previous versions, when multiple photo's were selected, the keyword panel showed all the used keywords. Keywords that weren't applied to all the selected pictures, but only to a few, were recognizable by an asterix behind the keyword. In 2.4 I onl
-
hai all, I am trying to access the following url.... http://FQDN:8004/sap/bc/bsp/sap/crm_ic/default.htm?sap-client=370&sap- sessioncmd=open Its showing the "Loading" status.....in the internet browser,,,,,,,,,,,,,,,,, I activated all the se