AAA and CNA?
I am trying to configure a 3750 switch for AAA? Telnet and SSH work fine but CNA and HTTP is not working. Both SSH and Telnet need to authenticate using RADIUS but CNA/HTTP needs to authenticate using a local account because the local administrator only uses the CNA for management and the admins in TACACS use CLI. Here is what I have so far.
aaa new-model
aaa authentication login default local group tacacs+
aaa authentication login con line
aaa authentication login http_auth local enable
aaa authorization config-commands
aaa authorization exec default local group tacacs+
aaa authorization exec http_auth local
aaa authorization commands 1 default local group tacacs+
aaa authorization commands 15 http_auth local
aaa authorization network default local group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa session-id common
ip http authentication aaa login-authentication http_auth
ip http authentication aaa exec-authorization http_auth
ip http authentication aaa command-authorization 15 http_auth
tacacs-server host X.X.X.X
tacacs-server directed-request
tacacs-server key 7 XXXXX
The debugs show the connection authenticating correctly.
170536: 48w1d: HTTP AAA Login-Authentication List name: http_auth
170537: 48w1d: HTTP AAA Exec-Authorization List name: http_auth
170538: 48w1d: AAA/BIND(000003FA): Bind i/f
170539: 48w1d: AAA/AUTHEN/LOGIN (000003FA): Pick method list 'http_auth'
170540: 48w1d: AAA/AUTHOR (0x3FA): Pick method list 'http_auth'
170541: 48w1d: HTTP: Priv level authorization success priv_level: 15
170542: 48w1d: HTTP: Priv level granted 15
170543: 48w1d: AAA/BIND(000003FB): Bind i/f
170544: 48w1d: HTTP AAA Login-Authentication List name: http_auth
170545: 48w1d: HTTP AAA Exec-Authorization List name: http_auth
170546: 48w1d: AAA/BIND(000003FC): Bind i/f
170547: 48w1d: AAA/AUTHEN/LOGIN (000003FC): Pick method list 'http_auth'
170548: 48w1d: AAA/AUTHOR (0x3FC): Pick method list 'http_auth'
170549: 48w1d: HTTP: Priv level authorization success priv_level: 15
170550: 48w1d: HTTP: Priv level granted 15
170551: 48w1d: AAA/BIND(000003FD): Bind i/f
170552: 48w1d: AAA: parse name=tty0 idb type=-1 tty=-1
170553: 48w1d: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
170554: 48w1d: AAA/MEMORY: create_user (0x632D26C) user='granto-mark' ruser='Switch' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=1 initial_task_id='0', vrf= (id=0)
170555: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): Port='tty0' list='' service=CMD
170556: 48w1d: AAA/AUTHOR/CMD: tty0 (1941738464) user='granto-mark'
170557: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): send AV service=shell
170558: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): send AV cmd=show
170559: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): send AV cmd-arg=version
170560: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): send AV cmd-arg=<cr>
170561: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): found list "default"
170562: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): Method=LOCAL
170563: 48w1d: AAA/AUTHOR (1941738464): Post authorization status = PASS_ADD
170564: 48w1d: AAA/MEMORY: free_user (0x632D26C) user='granto-mark' ruser='Switch' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=1
170565: 48w1d: HTTP AAA Login-Authentication List name: http_auth
170566: 48w1d: HTTP AAA Exec-Authorization List name: http_auth
170567: 48w1d: AAA/BIND(000003FE): Bind i/f
170568: 48w1d: AAA/AUTHEN/LOGIN (000003FE): Pick method list 'http_auth'
170569: 48w1d: AAA/AUTHOR (0x3FE): Pick method list 'http_auth'
170570: 48w1d: HTTP: Priv level authorization success priv_level: 15
170571: 48w1d: HTTP: Priv level granted 15
170572: 48w1d: AAA/BIND(000003FF): Bind i/f
170573: 48w1d: HTTP AAA Login-Authentication List name: http_auth
170574: 48w1d: HTTP AAA Exec-Authorization List name: http_auth
170575: 48w1d: AAA/BIND(00000400): Bind i/f
170576: 48w1d: AAA/AUTHEN/LOGIN (00000400): Pick method list 'http_auth'
170577: 48w1d: AAA/AUTHOR (0x400): Pick method list 'http_auth'
170578: 48w1d: HTTP: Priv level authorization success priv_level: 15
170579: 48w1d: HTTP: Priv level granted 15
170580: 48w1d: AAA/BIND(00000401): Bind i/f
Any help would be appriciated.
Thanks,
Robert
Good day.
Have you made any progress? I currently have an issue similar to yours with the IOS upgrade. Please see the link below to my discussion.
Sincerely,
Marc
https://supportforums.cisco.com/message/3562335#3562335
Similar Messages
-
WLC Flexconnect with AAA and MAC authentication
hi,
i am having cisco WLC with 7.4.121 version and i am having remote side access points to be connected to this controller and remote access point will have different vlan on the remote side itself.
my question is i am having Radius authentication for the clients who are all connecting from all the access points and MAC filtering also.
My radius server is placed in the HQ where we have WLC. which method of flexconnect switchign will give be both AAA and MAc filter options to be working.
one more question,
is it possible to make each AP seperate MAC filters On the WLC.
thanks
cyrilIf you are planning on doing machine authentication i.e authentication of machine with username password by the AAA server at then this is possible using flexconnect local switching enabled provided you have your AAA server accessible via the local VLAN at the remote site.
In case you are planning on doing mac-filtering using WLC and username/password authentication using AAA server then this cannot be achieved when you enable Flexconnect local switching as you do not get an option to configure the mac-filtering on Flex-connect groups.Hence you would need to use central authentication.
Actually the best option for you is that you either deploy a local site AAA server and do both the authentications via your radius server or use Central authentication with Flexconnect APs incase this is not feasible.
Hope this clears you doubts!!!
Note: Please do not forget to rate and accept as solution incase the post is valid. -
Hi All,
Where do I configure primary AAA and secondary AAA at ISE?
According to deployments guide Fig 1-6. Dispersed Deployment
http://www.cisco.com/en/US/docs/security/ise/1.0/install_guide/ise10_deploy.pdf
If we are using AD.. then AAA solution is RODC?
Thanks,
JohnHello,
Yes you can also use Cisco Catalyst 3560 to configure AAA and RADIUS. You can configure MAB, DOt1X and CWA.
Please refer to below link which might help you.
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/sw8021x.html -
AAA and MD5 Configuration on SIP Calls
Olease can anyone help in AAA and MD5 configuration on Cisco 3640 running SIP. My carrier told me that the only way that my calls can be Authenticated is thru AAAor MD5, eg -
Host:
Authentication ID:
Secret:
Please I need your help thank you in advance.
KnmeziMD5 authentication works similarly to plain text authentication, except that the key is never sent over the wire. Instead, the router uses the MD5 algorithm to produce a "message digest" of the key (also called a "hash"). The message digest is then sent instead of the key itself. This ensures that nobody can eavesdrop on the line and learn keys during transmission.
These protocols use MD5 authentication:
OSPF
RIP version 2
BGP
IP Enhanced IGRP
For AAA configuration refer to following url;
http://www.cisco.com/en/US/products/sw/secursw/ps2138/products_configuration_example09186a008017ee15.shtml -
Good day
Is it possible to configure, the router 2800 as server aaa and apply pin for authentication ?
Any suggest will be appreciate.Stephane
I am not sure what you are asking. It is certainly possible to configure 2800 routers to use aaa to request authentication. Your question sounds like it is asking if the 2800 can be configured to provide authentication services for other devices in the network. I believe the answer to this is no the 2800 does not provide autheentication services to other devices.
And I am not clear what you mean when you say pin. If you just mean a password then yes the authentication can be based on a statically defined password. If you mean a one time use password (such as the RSA tokenID) the authentication server can be configured to process and authenticate with the one time passwords.
HTH
Rick -
Hello All,
I want to download a free, yet reliable AAA and TACACS servers, can you guide me? Also, I need help with configuring them for study purpose.You may download the eval version ACS 4.2.0.124, if you've access to cisco.com
ACS v4.2.0.124 90-Days Evaluation Software
eval-ACS-4.2.0.124-SW.zip
http://tools.cisco.com/squish/9B37e
Path:
Cisco.com > Downloads Home > Products > Cloud and Systems Management > Security and Identity Management
> Cisco Secure Access Control Server Products > Cisco Secure Access Control Server for Windows > Cisco Secure ACS 4.2 for Windows > Secure Access Control Server (ACS) for Windows-4.2.0.124
~BR
Jatin Katyal
**Do rate helpful posts** -
AAA and 3560 Switch + CNA
Hi
Has anyone got this to work?
CNA. (Cisco Networks Assistants) and AAA (Tacacs+) on a 3560 switch.
I cant get the CNA to work in this setup but it works fine on together with 3500XL and 3550 serie switch. With the same parameter.
this is the aaa conf.
aaa authentication login default group tacacs+ local
aaa authentication login no_tacacs enable
aaa authentication enable default enable group tacacs+ none
aaa authorization exec default group tacacs+ local
aaa authorization exec no_tacacs none
aaa authorization commands 15 default group tacacs+ if-authenticated local
aaa authorization commands 15 no_tacacs none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
ip http server
ip http authentication aaaHi
No. I get the prompt for username and password.
and hit enter. Then nothing happens. It looks like it's trying to build the network but it never get fines. I know it works without the aaa statement. But I cant live with that. -
AAA and local user authentication
Hi,
I already have AAA authentication setup on my switch. And I can use local users to login when the AAA server is unreachable.
But I want to know if it is possible to use local users even when the AAA server is reachable. Something like first it checks the local users databse and if the user does not exists then fallback to AAA or vice versa.
Thanks.Ismail, the authentication method you define act as a service. So only when the service is not avilable the method fallback to the next methond you define.
So in your case if the user account is not present in the local data base it will not fallback to aaa server.
aaa authentication login default local group radius
The same holds true if the user account is not there in the aaa server
aaa authentication login default group radius local
Only when the aaa server is not responding (service downe or not reachable) it will fallback to the local database.
Hope this helps! -
We have a pair of 5520 firewalls with a traditional setup of AAA vpn authenication on the backend. We are looking to do some proof of concepts with a certificate based VPN and the Anyconnect client on startup.
To set this up, I have my existing VPN profile that has AAA authenciation and created a new VPN profile for cerificate based authenication. I also have the ASA setup so the user is allowed to choose which profile they want to connect to.
However, once I create my cerificate based VPN profile any client that doesn't have a certificate fails to connect because they don't have a valid cerficate without having the option to choose the AAA only profile. If a machine does have a certificate, they then get the option to choose AAA or Cerficate based profile.
Is there any way to setup the ASA to accept clients without a cerificate to use the AAA authenication while still having the cerficate based profile enabled for doing a proof of concept?
ThanksHi CrankyMonkey,
9.4 image includes new features for SSLTLS that might be impacting your certificate authentication.
"Elliptic curve cryptography for SSL/TLS—When an elliptic curve-capable SSL VPN client connects to the ASA, the elliptic curve cipher suite will be negotiated, and the ASA will present the SSL VPN client with an elliptic curve certificate, even when the corresponding interface has been configured with an RSA-based trustpoint. To avoid having the ASA present a self-signed SSL certificate, the administrator needs to remove the corresponding cipher suites using the ssl cipher command. For example, for an interface configured with an RSA trustpoint, the administrator can execute the following command so that only RSA based ciphers are negotiated"
As workaround you can try to use the following cipher configuration and check if works.
ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA"
Reference link
http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html
Rate if helps.
-Randy -
ACS AAA and LOCAL AAA database...
Hello,
We have implimented an 5520 device and configured it for ACS successfully. I want to also have a local database with a few accounts in the event our ACS server went down. I am having trouble finding documentation for the syntax I need to enter on this 5520 device configuration so I can have redundacy for AAA...can some help with this? TIA, GaryHi ,
Check this example
aaa-server SERVER protocol tacacs+
aaa-server SERVER host 1.1.1.1
key $har3dK3y
This command applies the server group to the vty or
console lines:
==========
aaa authentication ssh console SERVER LOCAL <---
For SSH sessions
aaa authentication serial console SERVER LOCAL
<--- For console access
Hope that helps
Regards,
JG~
Please rate helpful posts -
Nexus 7000 aaa and local authentication
Hello,
I tried to configure aaa (with radius) and local user authentication on a Nexus 7004 (Version 6.2(6a)), but did not get it to work.
Radius authentication is working fine(!), but I can't Login with a local created user (role vdc-Operator).
Any help is highly appreciated.
Kind regards,
AndreasHi,
yes, I know that the fallback will jump in when no radius-Server responds, but I need the behaviour like the 6500'er (or 4500) act.(btw. local login works if radius is disabled, or local is the default, but if local is the default, radius Login no longer works) - Only one of the method at a time works.
On the 6500 I configured aaa with Windows NPS-Server and a local user (e.g. for the Cisco-LMS). This works fine. Even if the radius server is available, i can log into the device (via ssh) with the locally defined user-account.
What I miss is a kind of the command:
"aaa authentication login default local group radius"
"aaa authentication enable default enable"
(which works on the WS-C6509 or WS-C4500X).
Is there any chance to get this work on the Nexus7000?
Kind regards,
Andreas -
AAA and Cisco MDS switches.........
have configured Cisco ACS 4.0 (TACACS) with Windows AD for all Cisco MDS switches and it is working fine. But local "admin" access to the Cisco MDS switches via telnet is not working. At the same time , if I create a user with "network-admin" role locally, that works but not the default admin user.
Could anyone help me in this regard.local. Below is the script I used to configure TACACS (Cisco ACS 4.0) on Cisco MDS switches.
config t
# Enable TACACS+
tacacs+ enable
tacacs-server host nnn.nnn.nnn.nnn key 0 xxxxxx
tacacs-server host mmm.mmm.mmm.mmm key 0 xxxxx
# Specify TACACS+ Server groups
aaa group server tacacs+ tacgrp
server nnn.nnn.nnn.nnn
server mmm.mmm.mmm.mmm
aaa authentication login default group tacgrp
aaa authentication login console local
# Enable TACACS+ Accounting
aaa accounting default group tacgrp local
end
copy running-config startup-config
Thanks
MOhan -
AAA and TACACS on everything BUT NOT console
Would like to enable login authentication AND enable authentication on VTY but NOT console. Console should authenticate locally for both user and privilige modes ... I can't seem to seperate the 'enable' piece ... any thoughts?
I do not think you can separate method list for
the enable piece. I've asked Cisco about this
in the past and they told me that it is not
possible. You can have a different method list
for the console for the "exec" mode but not
the enable or privilege mode. It is either
"tacacs" or "enable" or some other
combinations but not a separate method list for "enable" by itself. Maybe cisco added
this new feature in 12.4. I've my my testing
on both 12.2T and 12.3T and, IMHO, it is not
possible to separate the enable piece. Here
is my config:
username cisco password cisco
enable secret cisco
aaa authentication login notac local
aaa authentication login VTY group tacacs+ local
aaa authentication login web local enable
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec notac none
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
aaa accounting exec TAC start-stop group tacacs+
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 0 TAC start-stop group tacacs+
aaa accounting commands 0 VTY start-stop group tacacs+
aaa accounting commands 1 TAC start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 10 TAC start-stop group tacacs+
aaa accounting commands 15 TAC start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting network VTY start-stop group tacacs+
aaa accounting connection TAC start-stop group tacacs+
aaa session-id common
line con 0
exec-timeout 0 0
authorization exec notac
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
logging synchronous
login authentication notac
line vty 0 15
exec-timeout 0 0
authorization commands 0 VTY
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication VTY -
I currently use secure ACS 4.1 and I wanted to know if I could use tis with my 1240AG AP. I am looking to be able to use AAA to log into the Access Point.
Can this be done? Will iot be the same set up as a router or does it need something special?Yes it can be done - I have only done it on a 1131AG AP running IOS in a test lab, but if you AP is running IOS then I presume it's the same.
I used the following config example in a test lab:-
http://www.cisco.com/en/US/customer/tech/tk722/tk809/technologies_configuration_example09186a008069593c.shtml
HTH. -
We have two CCME/CUE installations using 2851 routers with the NM-CUE installed in each. We just recently turned on AAA (tacacs) on the routers and now can not get into the CUE. If we remove the AAA statements we can access the CUE by pressing enter at the password prompt. Anyone run into this before? Thank you.
Found the problem. We did not have the login authentication statement on the line port.
Maybe you are looking for
-
Getting error while deploying the component from VC 6.0 to Portal 6.0
Hi all, we are working on Portal 6.0 sp 11 and trying to deploy some components from VC 6.0 to the portal. The developed components on VC gives the desired output on preview. but while deploying it gives the errorr Error in executing a proce
-
Issues with syncing my Outlook 2013 with icloud 4.0
I am running Windows 8.1, Outlook 2013 and iCloud control panel 4.0. When trying to sync my calendar and contacts I get an error message "Apple Outlook DAV Config has stopped working". Windows looks for a correction, doesn't find anything and closes
-
It freezes within minutes of launching the app. have to force quit adn the re-open - but it still freezes.
-
bonjour tout le monde, Je ne comprends pas ce qu'il se passe. J'avais labview 8.5 full développement d'installer sur mon ordinateur, mais j'ai vu que cette version de labview ne prenait pas en charge la création d'executable. J'ai donc désinstallé ce
-
Initialiser graphe deroulant a plusieur tracés empilées
salut, francais :je veut initialiser un graphe déroulant qui affiche plusieurs courbes et les tracés de ce sont empilées (pas superposées) vous pouvez voir la pièce jointe english: i want to reset the waveform chart that it display