AAA authentication on switch

Similar Messages

• LMS 3.2 - Problem with inventory of switches using AAA authentication

  Hi all,
  we want to migrate our network equpiment from local authentication (telnet password, enable password) to AAA authentication (Cisco ACS server - username, password for priv level 15). The network devices are managed with CiscoWorks 3.2 and inventory works fine when device login credentials are telnet password, enable password.
  I have configured a switch for testing the authentication to the ACS server, and tested the logon manually. After the successful test I reconfigured the device credentials in CiscoWorks and checked it by a device export with credentials. The credentials in CW were OK, but from this time CiscoWorks could't pull an inventory of the switch any more. Every inventory job failed.
  Any help would be appreciated. Thanks a lot.
  Regards
  fred

  Joe,
  excuse me, I've made a mistake. It's the malfunction of the configuration *archiving* which depends on telnet services. I have included the trace file of the failed CW archiving job. I can see that CW receives the banner and the username prompt, but doesn't send back any telnet credentials. I have also checked the correctness of the device credentials by a DCR export.
  fred

• AAA authentication is fail on cisco 4505 switch with acs

  i am new in AAA . i want to login switch which authentication come from cisco acs 5.1 but i configure both switch and acs 5.1. when i telnet
  switch it display % Authentication fails. can anybody help me regurding this issue!!!
  on cisco switch end conf:
  aaa new-modle
  aaa authentication  login default group tacacs+
  aaa authentication  login TACASE group tacacs+
  aaa authentication  exec default group tacacs+
  tacacs-server host 10.10.10.1
  tacacs-server key Password!@#
  line vty 0 4
  login  authentication TACASE
  on acs 5.1 side i add switch on its vlan ip address which is connect acs 5.1 but
  BUT when i login using putty terminal its show % Authentication fails.
  Please help me regurding this issue!!!

  Hi,
  what is the error message reported on ACS?
  Are you sure that you are using the same key on ACS and cat4k?
  Can you configure "ip tacacs source-interface " with the vlan interface you are using as source?
  You can also collect these debugs:
  - deb aaa authentication
  - deb tacacs
  Cheers
  Marco

• Cisco ISE 1.3 MAB authentication.. switch drop packet

  Hello All,
  I have C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE9, RELEASE SOFTWARE (fc1) switch..
  and ISE 1.3 versoin..
  MAB authentication is working perfectly at ISE end.. but while seeing the same at switch end.. I am seeing switch is droping packet on some ports..
  while some ports are working perfectly..
  Same switch configuration is working perfectly on another switch without any issue..
  Switch configuration for your suggestion..!!
  aaa new-model
  aaa authentication fail-message ^C
  **** Either ACS or ISE is DOWN / Use ur LOCAL CREDENTIALS / Thank You ****
  ^C
  aaa authentication login CONSOLE local
  aaa authentication login ACS group tacacs+ group radius local
  aaa authentication dot1x default group radius
  aaa authorization config-commands
  aaa authorization commands 0 default group tacacs+ local
  aaa authorization commands 1 default group tacacs+ local
  aaa authorization commands 15 default group tacacs+ local
  aaa authorization network default group radius
  aaa accounting dot1x default start-stop group radius
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 0 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting network default start-stop group tacacs+
  aaa accounting connection default start-stop group tacacs+
  aaa accounting system default start-stop group tacacs+ group radius
  aaa server radius dynamic-author
   client 172.16.95.x server-key 7 02050D480809
   client 172.16.95.x server-key 7 14141B180F0B
  aaa session-id common
  clock timezone IST 5 30
  system mtu routing 1500
  ip routing
  no ip domain-lookup
  ip domain-name EVS.com
  ip device tracking
  epm logging
  dot1x system-auth-control
  interface FastEthernet0/1
   switchport access vlan x
   switchport mode access
   switchport voice vlan x
   authentication event fail action next-method
   --More--         authentication host-mode multi-auth
   authentication order mab dot1x
   authentication priority mab dot1x
   authentication port-control auto
   authentication violation restrict
   mab
   snmp trap mac-notification change added
   snmp trap mac-notification change removed
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  ip tacacs source-interface Vlan10
  ip radius source-interface Vlan10 vrf default
  logging trap critical
  logging origin-id ip
  logging 172.16.5.95
  logging host 172.16.95.x transport udp port 20514
  logging host 172.16.95.x transport udp port 20514
  snmp-server group SNMP-Group v3 auth read EVS-view notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F access 15
  snmp-server view EVS-view internet included
  snmp-server community S1n2M3p4$ RO
  snmp-server community cisco RO
  snmp-server trap-source Vlan10
  snmp-server source-interface informs Vlan10
  snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
   --More--         snmp-server enable traps tty
  snmp-server enable traps cluster
  snmp-server enable traps entity
  snmp-server enable traps cpu threshold
  snmp-server enable traps vtp
  snmp-server enable traps vlancreate
  snmp-server enable traps vlandelete
  snmp-server enable traps flash insertion removal
  snmp-server enable traps port-security
  snmp-server enable traps envmon fan shutdown supply temperature status
  snmp-server enable traps config-copy
  snmp-server enable traps config
  snmp-server enable traps bridge newroot topologychange
  snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
  snmp-server enable traps syslog
  snmp-server enable traps mac-notification change move threshold
  snmp-server enable traps vlan-membership
  snmp-server host 172.16.95.x version 2c cisco
  snmp-server host 172.16.95.x version 2c cisco
  snmp-server host 172.16.5.x version 3 auth evsnetadmin
  tacacs-server host 172.16.5.x key 7 0538571873651D1D4D26421A4F
  tacacs-server directed-request
   --More--         tacacs-server key 7 107D580E573E411F58277F2360
  tacacs-server administration
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 25 access-request include
  radius-server host 172.16.95.y auth-port 1812 acct-port 1813 key 7 060506324F41
  radius-server host 172.16.95.x auth-port 1812 acct-port 1813 key 7 110A1016141D
  radius-server host 172.16.95.y auth-port 1645 acct-port 1646 key 7 110A1016141D
  radius-server host 172.16.95.x auth-port 1645 acct-port 1646 key 7 070C285F4D06
  radius-server timeout 2
  radius-server key 7 060506324F41
  radius-server vsa send accounting
  radius-server vsa send authentication
  line con 0
   exec-timeout 5 0
   privilege level 15
   logging synchronous
   login authentication CONSOLE
  line vty 0 4
   access-class telnet_access in
   exec-timeout 0 0
   logging synchronous
   --More--         login authentication ACS
   transport input ssh

   24423  ISE has not been able to confirm previous successful machine authentication  
  Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
  first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
  log off and on  or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. 

• Radius Authentication Cisco Switch

  Hi,
  I have a cisco 2960 switch and currently trying to setup radius authentication. My microsoft guy does the server side we have matching keys and he says there is no problem on his side, but we still canno get it to work.
  Config on switch
  aaa new-model
  aaa authentication login default group radius local
  radius-server host 10.0.0.13 auth-port 1812
  radius-server key 0 test
  line vty 0 4
  login authentication default
  switch and radius server are on the same network. I have done a debug and confused on the output. Can anyone point me in the right direction.
  I have done a debug aaa authentication and debug radius
  AccessSwitch#
  RADIUS/ENCODE(00001586):Orig. component type = Exec
  RADIUS:  AAA Unsupported Attr: interface         [221] 4   92269176
  RADIUS/ENCODE(00001586): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
  RADIUS(00001586): Config NAS IP: 0.0.0.0
  RADIUS(00001586): Config NAS IPv6: ::
  RADIUS/ENCODE(00001586): acct_session_id: 20
  RADIUS(00001586): sending
  RADIUS/ENCODE: Best Local IP-Address 10.0.0.56 for Radius-Server 10.0.0.13
  RADIUS(00001586): Sending a IPv4 Radius Packet
  RADIUS(00001586): Send Access-Request to 10.0.0.13:1812 id 1645/18,len 77
  RADIUS:  authenticator 7C B1 A0 55 62 45 7B AF - F2 E2 48 4C C3 F0 72 98
  RADIUS:  User-Name           [1]   15  "james.hoggard"
  RADIUS:  User-Password       [2]   18  *
  RADIUS:  NAS-Port            [5]   6   2
  RADIUS:  NAS-Port-Id         [87]  6   "tty2"
  RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  RADIUS:  NAS-IP-Address      [4]   6   10.0.0.56
  RADIUS(00001586): Started 5 sec timeout
  RADIUS: Received from id 1645/18 10.0.0.13:1812, Access-Reject, len 20
  RADIUS:  authenticator 80 CE C9 C2 D6 30 65 A9 - 07 D8 12 4C 9E 80 A9 3C
  RADIUS(00001586): Received from id 1645/18
  AAA/AUTHEN/LOGIN (00001586): Pick method list 'default'
  RADIUS/ENCODE(00001586): ask "Password: "
  RADIUS/ENCODE(00001586): send packet; GET_PASSWORD
  Thanks
  James.

  yes, PAP always use plain text and that doesn't provide any kind of security.  However, administrative session with radius doesn't support chap/mschap.we can't configure firewall/IOS devices for aministration session like telnet/ssh to authenticate users on mschapv2 authentication method.
  If you need secure communication then you may implement TACACS.
  TACACS+ and RADIUS use a shared secret key to provide encryption for communication between the client and the server. RADIUS encrypts the user's password when the client made a request to the server. This encryption prevents someone from sniffing the user's password using a packet analyzer. However other information such as username and services that is being performed can be analyzed. TACACS+ encrypts not just only the entire payload when communicating, but it also encrypts the user's password between the client and the server. This makes it more difficult to decipher information about the communication between the client and the server. TACACS+ uses MD5 hash function in its encryption and decryption algorithm.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• AAA Authentication for Traffic Passing through ASA

  I am setting up AAA authentication for traffic that will pass through my ASA. I am having difficulty enabling 'aaa authentication secure-http-client'. Without secure communications enabled access functions as expected. When I enable access, I get prompted for a username/password. The username/password is entered. Authentication passes (show uauth). The requested page (http://www.cisco.com) switches to https://x.x.x.x (a resolved IP address for the site). Eventually (5 seconds), I am asked to accept or deny a certificated. Interestingly, the certificate is for the ASA and not the requested site (http://www.cisco.com).
  Am I missing something?
  firewall# show run aaa
  aaa authentication http console TACACS+ LOCAL
  aaa authentication telnet console TACACS+ LOCAL
  aaa authentication serial console TACACS+ LOCAL
  aaa authentication ssh console TACACS+ LOCAL
  aaa authentication enable console TACACS+ LOCAL
  aaa authentication match guestnetwork_access guestnetwork RADIUS
  aaa authentication secure-http-client
  firewall# show access-li guestnetwork_access
  access-list guestnetwork_access; 2 elements
  access-list guestnetwork_access line 1 extended deny udp 10.255.255.0 255.255.255.0 any eq domain (hitcnt=33)
  access-list guestnetwork_access line 2 extended permit ip 10.255.255.0 255.255.255.0 any (hitcnt=412)
  firewall# show run aaa-s
  aaa-server RADIUS protocol radius
  aaa-server RADIUS (inside) host 192.168.250.14
  key xxxxx
  firewall# show run http
  http server enable

  your definition for the aaa-server is different to the aaa authentication server-group
  try
  aaa authentication http console RADIUS LOCAL
  aaa authentication telnet console RADIUS LOCAL

• Aaa authentication for https access

  I have several Catalyst 3750 switches that I'm running Tacacs on. I set the switch up to be an http server so that some of our admins could administer the switches through the web gui. Is it possible to login to the web console via your Tacacs login (in our case, our Windows username/password)? I found the "ip http authentication aaa" command but this doesn't seem to do it. I just don't want to share the local passwords if I don't have to.
  Thanks in advance,
  Eric

  My experience of the web interface is that it uses the local password on the device and not the aaa authentication IDs and passwords.
  HTH
  Rick

• AAA authentication / Radius-Servers

                     Hello cisco folks,
  Have a technical question I would like to ask. I'm able to setup my 3750e switch to login through a radius server with my company user id and password but would like to be able to set it up that when I log in it drops me on the enable prompt. Right now I have to type >en.
  Then the enable password.  Thanks in advance.
  Paul

  Hi Bro
  Yes, this can be achieved in Cisco IOS devices but not in Cisco ASA. In Cisco ASA, you still have to type the "enable" command.
  Just ensure you've the configuration shown below, and all should be good;
  enable password cisco
  aaa new-model
  aaa authentication login VTY group radius local
  aaa authentication login CONSOLE local
  aaa authentication enable default group radius enable
  aaa authorization console
  aaa authorization config-commands
  aaa authorization exec VTY group radius local
  username ram privilege 15 password 0 cisco
  username cisco privilege 7 password 0 cisco
  interface FastEthernet0/0
  ip address 10.0.0.2 255.255.255.0
  ip route 0.0.0.0 0.0.0.0 10.0.0.1
  ip radius source-interface FastEthernet0/0
  radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key cisco
  privilege interface level 7 shutdown
  privilege interface level 7 ip address
  privilege interface level 7 ip
  privilege interface level 7 no shutdown
  privilege interface level 7 no ip address
  privilege interface level 7 no ip
  privilege interface level 7 no
  privilege configure level 7 interface
  privilege configure level 7 shutdown
  privilege configure level 7 ip
  privilege configure level 7 no interface
  privilege configure level 7 no shutdown
  privilege configure level 7 no ip
  privilege configure level 0 no
  privilege exec level 7 configure terminal
  privilege exec level 7 configure
  privilege exec level 7 undebug ip rip
  privilege exec level 7 undebug ip
  privilege exec level 7 undebug all
  privilege exec level 7 undebug
  privilege exec level 7 debug ip rip
  privilege exec level 7 debug ip
  privilege exec level 7 debug all
  privilege exec level 7 debug
  line con 0
  authorization exec VTY
  login authentication VTY
  line aux 0
  line vty 0 4
  authorization exec VTY
  login authentication VTY
  end
  Note: Ensure your user ID in your Radius server has the correct av-pair parameters shell:priv-lvl=15
  P/S: if you think this comment is helpful, please do rate it nicely :-)

• AAA configuration on switches 2960

  Hi
  I have introduced the following configuration of AAA in the switches of series 2950 and works very well,
  but when I do the same in switches 2960, the local password does not work and it is obligatory to introduce the switch in the ACS to have management of the switch.
  Is needed some additional configuration of AAA in switches 2960?
  Thanks.
  tacacs-server host y.y.y.y
  tacacs-server key xxxxx
  aaa new-model
  aaa authentication login acceso-consola group tacacs+ line
  aaa authentication login acceso-telnet group tacacs+ line
  aaa authentication enable default group tacacs+ enable
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  line con 0
  exec-timeout 0 0
  login authentication acceso-consola
  line vty 0 4
  login authentication acceso-telnet

  Maria
  Perhaps some clarification of your environment might help us. In particular it would help to understand how you produce the "without ACS" environment.
  Clearly the switch is still configured for ACS. And clearly there is connectivity from the switch to the ACS. And the ACS is responding to the authentication request from the switch. I am not sure what the errno 254 represents or what on the ACS server causes it. Perhaps you can help us understand that?
  I had a situation at one point that may have been similar to your situation. Our devices were sending requests to ACS. But ACS was not able to communicate with the external DB because one of the services on ACS was not running. ACS responded with an error indicating unable to process. But the IOS devices were not interpreting that as an error that should send them to the backup authentication method.
  If you are stopping something on the ACS server then I would suggest that a better test would be to break IP connectivity between the switch and the ACS so that the switch receives no response to its request or to change the configured IP address for the server in the switc and point to some device not running ACS so that the switch receives a port unreachable response to its request. Those would give you a better test of without ACS.
  HTH
  Rick

• AAA and 3560 Switch + CNA

  Hi
  Has anyone got this to work?
  CNA. (Cisco Networks Assistants) and AAA (Tacacs+) on a 3560 switch.
  I can’t get the CNA to work in this setup but it works fine on together with 3500XL and 3550 serie switch. With the same parameter.
  this is the aaa conf.
  aaa authentication login default group tacacs+ local
  aaa authentication login no_tacacs enable
  aaa authentication enable default enable group tacacs+ none
  aaa authorization exec default group tacacs+ local
  aaa authorization exec no_tacacs none
  aaa authorization commands 15 default group tacacs+ if-authenticated local
  aaa authorization commands 15 no_tacacs none
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting network default start-stop group tacacs+
  ip http server
  ip http authentication aaa

  Hi
  No. I get the prompt for username and password.
  and hit enter. Then nothing happens. It looks like it's trying to build the network but it never get fines. I know it works without the aaa statement. But I can’t live with that.

• AAA on 3750 switch

  How to disable AAA on 3750 switch which has got screwed up due to missing of tacacs-server key command in older configuration. I believe RMON mode will not work...

  Hi ,
  I beleve you are able to log in to the switch. If that is the case then issues these commands,
  no tacacs-server host [ip]
  no tacacs-server key [key]
  no aaa authentication login default group tacacs+ local
  no aaa authorization exec default group tacacs+ if-authenticated
  no aaa authorization commands 1 default group tacacs+ if-authenticated
  no aaa authorization commands 15 default group tacacs+ if-authenticated
  no aaa authorization config-commands
  If you have accounting also, do the same. And finally
  no aaa new-model
  But incase you are not able to login to the box using tacacs or local login then you need to do password recovery.
  Thanks,
  Jagdeep

• ACE 4700 and Cisco ACS aaa authentication

  ACE version Software
  loader: Version 0.95
  system: Version A1(7b) [build 3.0(0)A1(7b)
  Cisco ACS version 4.0.1
  I am trying to authenticate admin users with AAA authentication for ACE management.
  This is what I've done:
  ACE-lab/Admin(config)# tacacs-server host 192.168.3.10 key 123456 port 49
  warning: numeric key will not be encrypted
  ACE-lab/Admin(config)# aaa group server tacacs+ cciesec
  ACE-lab/Admin(config-tacacs+)# server ?
  <A.B.C.D> TACACS+ server name
  ACE-lab/Admin(config-tacacs+)# server 192.168.3.10
  can not find the TACACS+ server
  specified TACACS+ server not found, please configure it using tacacs-server host ... and then retry
  ACE-lab/Admin(config-tacacs+)#
  Why am I getting this error? I have full
  connectivity between the ACE and the ACS
  server. Furthermore, the ACS server
  works fine with other Cisco IOS devices.
  Please help. Thanks.

  Thanks. Now I have another problem. I CAN
  log into the ACE via tacacs+ account(s).
  However, I get error when I try going into
  configuration mode:
  ACE-lab login: ngx1
  Password:
  Cisco Application Control Software (ACSW)
  TAC support: http://www.cisco.com/tac
  Copyright (c) 1985-2007 by Cisco Systems, Inc. All rights reserved.
  The copyrights to certain works contained herein are owned by
  other third parties and are used and distributed under license.
  Some parts of this software are covered under the GNU Public
  License. A copy of the license is available at
  http://www.gnu.org/licenses/gpl.html.
  ACE-lab/Admin# conf t
  ^
  % invalid command detected at '^' marker.
  ACE-lab/Admin#
  The ngx1 account can access other Cisco
  routers/switches just fine and can go into
  enable mode just fine. Only issue on the ACE.
  Any ideas? Thanks.

• TACACS for AAA on Cisco Switch

  I have configured our switches for TACACS authentication however it does not seem to be working. I know it is trying as if I remove the secondary login option (local) I am denied access completely but I see no log on the ACS server. Any ideas?, oh and this is going across an any to any VPN

  Can you log into your switch, and turn on the debug aaa authentication, and debug tacacs.
  Then go ahead and issue a test aaa group.. command to test the authentication, do you see it timing out? Are you using a source interface for this traffic? is that source interface inside the lan to lan intersting traffic?

• Cisco AAA authentication with windows radius server

  Cisco - Windows Radius problems
  I need to created a limited access group through radius that I can have new network analysts log into
  and not be able to commit changes or get into global config.
  Here are my current radius settings
  aaa new-model
  aaa group server radius IAS
   server name something.corp
  aaa authentication login USERS local group IAS
  aaa authorization exec USERS local group IAS
  radius server something.corp
   address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
   key mypassword
  line vty 0 4
   access-class 1 in
   exec-timeout 0 0
   authorization exec USERS
   logging synchronous
   login authentication USERS
   transport input ssh
  When I log in to the switch, the radius server is passing the corrrect attriubute
  ***Jan 21 13:59:51.897: RADIUS:   Cisco AVpair       [1]   18  "shell:priv-lvl=7"
  The switch is accepting it and putting you in the correct priv level.
  ***Radius-Test#sh priv
     Current privilege level is 7
  I am not sure why it logs you in with the prompt for  privileged EXEC mode when
  you are in priv level 7. This shows that even though it looks like your in priv exec
  mode, you are not.
  ***Radius-Test#sh run
                  ^
     % Invalid input detected at '^' marker.
     Radius-Test#
  Now this is where I am very lost.
  I am in priv level 7, but as soon as I use the enable command It moves me up to 15, and that gives me access to
  global config mode.
  ***Radius-Test#enable
     Radius-Test#
  Debug log -
  Jan 21 14:06:28.689: AAA/MEMORY: free_user (0x2B46E268) user='reynni10'
  ruser='NULL' port='tty390' rem_addr='10.100.158.83' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
  Now it doesnt matter that I was given priv level 7 by radius because 'enable' put me into priv 15
  ***Radius-Test#sh priv
     Current privilege level is 15
     Radius-Test#
  I have tried to set
  ***privilege exec level 15 enable
  It works and I am no longer able to use 'enable' when I am at prv level 7, but I also cannot get the commands they will need to work.
  Even if I try to do
  ***privilege exec level 7 show running-config (or other variations)
  It will allow you to type sh run without errors, but it doest actually run the command.
  What am I doing wrong?
  I also want to get PKI working with radius.

  I can run a test on my radius system, will report back accordingly, as it's a different server than where I am currently located.
  Troubleshooting, have you deleted the certificate/network profile on the devices and started from scratch?

• AAA Authentication Question

  Here is the config I have on a switch:
  aaa authentication login default group tacacs+ local
  aaa authentication login vtylogin group tacacs+ local
  aaa authentication login conlogin group tacacs+ enable none
  aaa authentication enable default tacacs+ enable
  Now here are my issues:
  1- When I login from console my login from Tacacs works, but when I type "enable" and try to use my Active Directory password it does not work.  Then I try the enable password, it does not work.  However if I change the 4th Line to "aaa authentication enable default enable", I can proceed using the enable password.
  2- My second issue is when I SSH into the switch, I only want it to use the tacacs server and only use local database when the tacacs is not available.  However even when tacacs is available I am still able to log into it using the local user account.  I am assuming that is by design?  Is there a way to stop that if it is not by design?

  But it won't use you local database unless your tacacs+ server is unavailable so I really don't see the problem.
  If the router uses your local database to authenticate then there is a communication problem with your tacacs+ server so he is using the next method listed in your command which is local database. As I said before do a debug aaa authentication and you will see the router is attempting to communicate with the tacacs+ server and only if it times out then is he going to use an alternative method if it is listed in method list.