AAA and CNA?

Similar Messages

• WLC Flexconnect with AAA and MAC authentication

  hi,
  i am having cisco WLC with 7.4.121 version and i am having remote side access points to be connected to this controller and remote access point will have different vlan on the remote side itself.
  my question is i am having  Radius authentication for the clients who are all connecting from all the access points and MAC filtering also.
  My radius server is placed in the HQ where we have WLC. which method of flexconnect switchign will give be both AAA and MAc filter options to be working.
  one more question,
  is it possible to make each AP seperate MAC filters On the WLC.
  thanks
  cyril

  If you are planning on doing machine authentication i.e authentication of machine with username password by the AAA server at then this is possible using flexconnect local switching enabled provided you have your AAA server accessible via the local VLAN at the remote site.
  In case you are planning on doing mac-filtering using WLC and username/password authentication using AAA server then this cannot be achieved when you enable Flexconnect local switching as you do not get an option to configure the mac-filtering on Flex-connect groups.Hence you would need to use central authentication.
  Actually the best option for you is that you either deploy a local site AAA server and do both the authentications via your radius server or use Central authentication with Flexconnect APs incase this is not feasible.
  Hope this clears you doubts!!!
  Note: Please do not forget to rate and accept as solution incase the post is valid.

• AAA and ISE

  Hi All,
  Where do I configure primary AAA and secondary AAA at ISE?
  According to deployments guide Fig 1-6. Dispersed Deployment
  http://www.cisco.com/en/US/docs/security/ise/1.0/install_guide/ise10_deploy.pdf
  If we are using AD.. then AAA solution is RODC?
  Thanks,
  John

  Hello,
  Yes you can also use Cisco Catalyst 3560 to configure AAA and RADIUS. You can configure MAB, DOt1X and CWA.
  Please refer to below link which might help you.
  http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/sw8021x.html

• AAA and MD5 Configuration on SIP Calls

  Olease can anyone help in AAA and MD5 configuration on Cisco 3640 running SIP. My carrier told me that the only way that my calls can be Authenticated is thru AAAor MD5, eg -
  Host:
  Authentication ID:
  Secret:
  Please I need your help thank you in advance.
  Knmezi

  MD5 authentication works similarly to plain text authentication, except that the key is never sent over the wire. Instead, the router uses the MD5 algorithm to produce a "message digest" of the key (also called a "hash"). The message digest is then sent instead of the key itself. This ensures that nobody can eavesdrop on the line and learn keys during transmission.
  These protocols use MD5 authentication:
  OSPF
  RIP version 2
  BGP
  IP Enhanced IGRP
  For AAA configuration refer to following url;
  http://www.cisco.com/en/US/products/sw/secursw/ps2138/products_configuration_example09186a008017ee15.shtml

• AAA and PIN

  Good day
  Is it possible to configure, the router 2800 as server aaa and apply pin for authentication ?
  Any suggest will be appreciate.

  Stephane
  I am not sure what you are asking. It is certainly possible to configure 2800 routers to use aaa to request authentication. Your question sounds like it is asking if the 2800 can be configured to provide authentication services for other devices in the network. I believe the answer to this is no the 2800 does not provide autheentication services to other devices.
  And I am not clear what you mean when you say pin. If you just mean a password then yes the authentication can be based on a statically defined password. If you mean a one time use password (such as the RSA tokenID) the authentication server can be configured to process and authenticate with the one time passwords.
  HTH
  Rick

• AAA and TACACS servers

  Hello All,
  I want to download a free, yet reliable AAA and TACACS servers, can you guide me? Also, I need help with configuring them for study purpose.

  You may download the eval version ACS 4.2.0.124, if you've access to cisco.com
  ACS v4.2.0.124 90-Days Evaluation Software
  eval-ACS-4.2.0.124-SW.zip
  http://tools.cisco.com/squish/9B37e
  Path:
  Cisco.com > Downloads Home > Products > Cloud and Systems Management > Security and Identity Management
  > Cisco Secure Access Control Server Products > Cisco Secure Access Control Server for Windows > Cisco Secure ACS 4.2 for Windows > Secure Access Control Server (ACS) for Windows-4.2.0.124
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• AAA and 3560 Switch + CNA

  Hi
  Has anyone got this to work?
  CNA. (Cisco Networks Assistants) and AAA (Tacacs+) on a 3560 switch.
  I can’t get the CNA to work in this setup but it works fine on together with 3500XL and 3550 serie switch. With the same parameter.
  this is the aaa conf.
  aaa authentication login default group tacacs+ local
  aaa authentication login no_tacacs enable
  aaa authentication enable default enable group tacacs+ none
  aaa authorization exec default group tacacs+ local
  aaa authorization exec no_tacacs none
  aaa authorization commands 15 default group tacacs+ if-authenticated local
  aaa authorization commands 15 no_tacacs none
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting network default start-stop group tacacs+
  ip http server
  ip http authentication aaa

  Hi
  No. I get the prompt for username and password.
  and hit enter. Then nothing happens. It looks like it's trying to build the network but it never get fines. I know it works without the aaa statement. But I can’t live with that.

• AAA and local user authentication

  Hi,
  I already have AAA authentication setup on my switch. And I can use local users to login when the AAA server is unreachable.
  But I want to know if it is possible to use local users even when the AAA server is reachable. Something like first it checks the local users databse and if the user does not exists then fallback to AAA or vice versa.
  Thanks.

  Ismail, the authentication method you define act as a service. So only when the service is not avilable the method fallback to the next methond you define.
  So in your case if the user account is not present in the local data base it will not fallback to aaa server.
  aaa authentication login default local group radius
  The same holds true if the user account is not there in the aaa server
  aaa authentication login default group radius local
  Only when the aaa server is not responding (service downe or not reachable) it will fallback to the local database.
  Hope this helps!

• AAA and Certificate Based VPN

  We have a pair of 5520 firewalls with a traditional setup of AAA vpn authenication on the backend. We are looking to do some proof of concepts with a certificate based VPN and the Anyconnect client on startup.
  To set this up, I have my existing VPN profile that has AAA authenciation and created a new VPN profile for cerificate based authenication. I also have the ASA setup so the user is allowed to choose which profile they want to connect to.
  However, once I create my cerificate based VPN profile any client that doesn't have a certificate fails to connect because they don't have a valid cerficate without having the option to choose the AAA only profile. If a machine does have a certificate, they then get the option to choose AAA or Cerficate based profile.
  Is there any way to setup the ASA to accept clients without a cerificate to use the AAA authenication while still having the cerficate based profile enabled for doing a proof of concept?
  Thanks

  Hi CrankyMonkey, 
  9.4 image includes new features for SSLTLS that might be impacting your certificate authentication. 
  "Elliptic curve cryptography for SSL/TLS—When an elliptic curve-capable SSL VPN client connects to the ASA, the elliptic curve cipher suite will be negotiated, and the ASA will present the SSL VPN client with an elliptic curve certificate, even when the corresponding interface has been configured with an RSA-based trustpoint. To avoid having the ASA present a self-signed SSL certificate, the administrator needs to remove the corresponding cipher suites using the ssl cipher command. For example, for an interface configured with an RSA trustpoint, the administrator can execute the following command so that only RSA based ciphers are negotiated"
  As workaround you can try to use the following cipher configuration and check if works.
  ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA" 
  Reference link
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html
  Rate if helps.
  -Randy

• ACS AAA and LOCAL AAA database...

  Hello,
  We have implimented an 5520 device and configured it for ACS successfully. I want to also have a local database with a few accounts in the event our ACS server went down. I am having trouble finding documentation for the syntax I need to enter on this 5520 device configuration so I can have redundacy for AAA...can some help with this? TIA, Gary

  Hi ,
  Check this example
  aaa-server SERVER protocol tacacs+
  aaa-server SERVER host 1.1.1.1
  key $har3dK3y
  This command applies the server group to the vty or
  console lines:
  ==========
  aaa authentication ssh console SERVER LOCAL <---
  For SSH sessions
  aaa authentication serial console SERVER LOCAL
  <--- For console access
  Hope that helps
  Regards,
  JG~
  Please rate helpful posts

• Nexus 7000 aaa and local authentication

  Hello,
  I tried to configure aaa (with radius) and local user authentication on a Nexus 7004 (Version 6.2(6a)), but did not get it to work.
  Radius authentication is working fine(!), but I can't Login with a local created user (role vdc-Operator).
  Any help is highly appreciated.
  Kind regards,
  Andreas

  Hi,
  yes, I know that the fallback will jump in when no radius-Server responds, but I need the behaviour like the 6500'er (or 4500) act.(btw. local login works if radius is disabled, or local is the default, but if local is the default, radius Login no longer works) - Only one of the method at a time works.
  On the 6500 I configured aaa with Windows NPS-Server and a local user (e.g. for the Cisco-LMS). This works fine. Even if the radius server is available, i can log into the device (via ssh) with the locally defined user-account.
  What I miss is a kind of the command:
  "aaa authentication login default local group radius"
  "aaa authentication enable default enable"
  (which works on the WS-C6509 or  WS-C4500X).
  Is there any chance to get this work on the Nexus7000?
  Kind regards,
  Andreas

• AAA and Cisco MDS switches.........

  have configured Cisco ACS 4.0 (TACACS) with Windows AD for all Cisco MDS switches and it is working fine. But local "admin" access to the Cisco MDS switches via telnet is not working. At the same time , if I create a user with "network-admin" role locally, that works but not the default admin user.
  Could anyone help me in this regard.

  local. Below is the script I used to configure TACACS (Cisco ACS 4.0) on Cisco MDS switches.
  config t
  # Enable TACACS+
  tacacs+ enable
  tacacs-server host nnn.nnn.nnn.nnn key 0 xxxxxx
  tacacs-server host mmm.mmm.mmm.mmm key 0 xxxxx
  # Specify TACACS+ Server groups
  aaa group server tacacs+ tacgrp
  server nnn.nnn.nnn.nnn
  server mmm.mmm.mmm.mmm
  aaa authentication login default group tacgrp
  aaa authentication login console local
  # Enable TACACS+ Accounting
  aaa accounting default group tacgrp local
  end
  copy running-config startup-config
  Thanks
  MOhan

• AAA and TACACS on everything BUT NOT console

  Would like to enable login authentication AND enable authentication on VTY but NOT console. Console should authenticate locally for both user and privilige modes ... I can't seem to seperate the 'enable' piece ... any thoughts?

  I do not think you can separate method list for
  the enable piece. I've asked Cisco about this
  in the past and they told me that it is not
  possible. You can have a different method list
  for the console for the "exec" mode but not
  the enable or privilege mode. It is either
  "tacacs" or "enable" or some other
  combinations but not a separate method list for "enable" by itself. Maybe cisco added
  this new feature in 12.4. I've my my testing
  on both 12.2T and 12.3T and, IMHO, it is not
  possible to separate the enable piece. Here
  is my config:
  username cisco password cisco
  enable secret cisco
  aaa authentication login notac local
  aaa authentication login VTY group tacacs+ local
  aaa authentication login web local enable
  aaa authentication enable default group tacacs+ enable
  aaa authorization console
  aaa authorization config-commands
  aaa authorization exec notac none
  aaa authorization exec VTY group tacacs+ if-authenticated none
  aaa authorization commands 0 VTY group tacacs+ if-authenticated none
  aaa authorization commands 1 VTY group tacacs+ if-authenticated none
  aaa authorization commands 15 VTY group tacacs+ if-authenticated none
  aaa authorization network VTY group tacacs+ if-authenticated none
  aaa accounting exec TAC start-stop group tacacs+
  aaa accounting exec VTY start-stop group tacacs+
  aaa accounting commands 0 TAC start-stop group tacacs+
  aaa accounting commands 0 VTY start-stop group tacacs+
  aaa accounting commands 1 TAC start-stop group tacacs+
  aaa accounting commands 1 VTY start-stop group tacacs+
  aaa accounting commands 10 TAC start-stop group tacacs+
  aaa accounting commands 15 TAC start-stop group tacacs+
  aaa accounting commands 15 VTY start-stop group tacacs+
  aaa accounting network VTY start-stop group tacacs+
  aaa accounting connection TAC start-stop group tacacs+
  aaa session-id common
  line con 0
  exec-timeout 0 0
  authorization exec notac
  accounting commands 0 VTY
  accounting commands 1 VTY
  accounting commands 15 VTY
  accounting exec VTY
  logging synchronous
  login authentication notac
  line vty 0 15
  exec-timeout 0 0
  authorization commands 0 VTY
  authorization commands 1 VTY
  authorization commands 15 VTY
  authorization exec VTY
  accounting commands 0 VTY
  accounting commands 1 VTY
  accounting commands 15 VTY
  accounting exec VTY
  login authentication VTY

• AAA and AP 1240Ag

  I currently use secure ACS 4.1 and I wanted to know if I could use tis with my 1240AG AP. I am looking to be able to use AAA to log into the Access Point.
  Can this be done? Will iot be the same set up as a router or does it need something special?

  Yes it can be done - I have only done it on a 1131AG AP running IOS in a test lab, but if you AP is running IOS then I presume it's the same.
  I used the following config example in a test lab:-
  http://www.cisco.com/en/US/customer/tech/tk722/tk809/technologies_configuration_example09186a008069593c.shtml
  HTH.

• AAA and CCME/CUE

  We have two CCME/CUE installations using 2851 routers with the NM-CUE installed in each. We just recently turned on AAA (tacacs) on the routers and now can not get into the CUE. If we remove the AAA statements we can access the CUE by pressing enter at the password prompt. Anyone run into this before? Thank you.

  Found the problem. We did not have the login authentication statement on the line port.