AAA Authentication Question

Here is the config I have on a switch:
aaa authentication login default group tacacs+ local
aaa authentication login vtylogin group tacacs+ local
aaa authentication login conlogin group tacacs+ enable none
aaa authentication enable default tacacs+ enable
Now here are my issues:
1- When I login from console my login from Tacacs works, but when I type "enable" and try to use my Active Directory password it does not work.  Then I try the enable password, it does not work.  However if I change the 4th Line to "aaa authentication enable default enable", I can proceed using the enable password.
2- My second issue is when I SSH into the switch, I only want it to use the tacacs server and only use local database when the tacacs is not available.  However even when tacacs is available I am still able to log into it using the local user account.  I am assuming that is by design?  Is there a way to stop that if it is not by design?

But it won't use you local database unless your tacacs+ server is unavailable so I really don't see the problem.
If the router uses your local database to authenticate then there is a communication problem with your tacacs+ server so he is using the next method listed in your command which is local database. As I said before do a debug aaa authentication and you will see the router is attempting to communicate with the tacacs+ server and only if it times out then is he going to use an alternative method if it is listed in method list.

Similar Messages

  • AAA authentication and authorization question

    Hi Everyone,
    I have a situation that is driving me crazy.
    I am using Cisco Freeware TACACS running on RedHat
    Enterprise Linux 3. I've modified the source code
    so that I can assign each individual users his/her
    own enable password. So far so good.
    I create two groups: group_A and group_S. group_A
    is for advanced users and group_S is for super
    users. Users that belong to group_A can have
    privilege level 15 but there are certain commands
    that they can not perform such as "write mem"
    or "reload". users that belong to group_S can do
    EVERYTHING.
    Here is my configuration on the TACACS configuration
    file:
    user = xyz {
    member = admin
    name = "User X"
    login = des 6.z8oIm9UGHo
    user = $xyz$ {
    member = admin
    name = "User X"
    login = des c2bUC43cmsac.
    user = abc {
    member = advanced
    name = "User abc"
    login = cleartext "cisco123"
    user = $abc$ {
    member = advanced
    name = "User abc"
    login = cleartext "cisco123"
    group = advanced {
    default service = deny
    cmd = show { permit .* }
    cmd = copy { permit flash }
    cmd = copy { permit running }
    cmd = ping { permit .* }
    cmd = configure { permit .* }
    cmd = enable { permit .* }
    cmd = disable { permit .* }
    cmd = telnet { permit .* }
    cmd = disconnect { permit .* }
    cmd = where { permit .* }
    cmd = set { permit .* }
    cmd = clear { permit line }
    cmd = exit { permit .* }
    group = admin {
    default service = permit
    configuration of the router:
    aaa new-model
    aaa authentication login notac none
    aaa authentication login VTY group tacacs+ local
    aaa authentication login web local enable
    aaa authentication enable default group tacacs+ enable
    aaa authorization exec notac none
    aaa authorization exec VTY group tacacs+ if-authenticated none
    aaa authorization commands 0 VTY group tacacs+ if-authenticated none
    aaa authorization commands 1 VTY group tacacs+ if-authenticated none
    aaa authorization commands 15 VTY group tacacs+ if-authenticated none
    aaa authorization network VTY group tacacs+ if-authenticated none
    aaa accounting exec TAC start-stop group tacacs+
    aaa accounting exec VTY start-stop group tacacs+
    aaa accounting commands 0 TAC start-stop group tacacs+
    aaa accounting commands 0 VTY start-stop group tacacs+
    aaa accounting commands 1 TAC start-stop group tacacs+
    aaa accounting commands 1 VTY start-stop group tacacs+
    aaa accounting commands 10 TAC start-stop group tacacs+
    aaa accounting commands 15 TAC start-stop group tacacs+
    aaa accounting commands 15 VTY start-stop group tacacs+
    aaa accounting network VTY start-stop group tacacs+
    aaa session-id common
    line vty 0 15
    exec-timeout 0 0
    authorization commands 0 VTY
    authorization commands 1 VTY
    authorization commands 15 VTY
    authorization exec VTY
    accounting commands 0 VTY
    accounting commands 1 VTY
    accounting commands 15 VTY
    accounting exec VTY
    login authentication VTY
    However, what I would like to do is to assign users
    in group_A the ability to go into "configuration t"
    but I do NOT want them to have the ability to peform
    "no tacacs-server host x.x.x.x key cisco". Furthermore,
    I would like to do everything via TACACS, I don't
    want configure "privilege level" on the router itself.
    Is that possible? Thanks.
    David

    Command Authorization Sets?Command authorization sets provide a centralized mechanism to manage TACACS+ administrative control. Driven by some of the largest enterprise and service provider networks that use Cisco Secure ACS, command authorization sets provide a method to group and name device command profiles that can be paired with users, groups of users, or network device groups. A key benefit of command authorization sets is the ability to remove any requirement of individual privilege level or command restrictions on each AAA client. This feature greatly enhances the scalability and manageability of setting device command authorization restrictions for network administrators.
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_release_note09186a00800ada4c.html

  • AAA authentication / Radius-Servers

                       Hello cisco folks,
    Have a technical question I would like to ask. I'm able to setup my 3750e switch to login through a radius server with my company user id and password but would like to be able to set it up that when I log in it drops me on the enable prompt. Right now I have to type >en.
    Then the enable password.  Thanks in advance.
    Paul

    Hi Bro
    Yes, this can be achieved in Cisco IOS devices but not in Cisco ASA. In Cisco ASA, you still have to type the "enable" command.
    Just ensure you've the configuration shown below, and all should be good;
    enable password cisco
    aaa new-model
    aaa authentication login VTY group radius local
    aaa authentication login CONSOLE local
    aaa authentication enable default group radius enable
    aaa authorization console
    aaa authorization config-commands
    aaa authorization exec VTY group radius local
    username ram privilege 15 password 0 cisco
    username cisco privilege 7 password 0 cisco
    interface FastEthernet0/0
    ip address 10.0.0.2 255.255.255.0
    ip route 0.0.0.0 0.0.0.0 10.0.0.1
    ip radius source-interface FastEthernet0/0
    radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key cisco
    privilege interface level 7 shutdown
    privilege interface level 7 ip address
    privilege interface level 7 ip
    privilege interface level 7 no shutdown
    privilege interface level 7 no ip address
    privilege interface level 7 no ip
    privilege interface level 7 no
    privilege configure level 7 interface
    privilege configure level 7 shutdown
    privilege configure level 7 ip
    privilege configure level 7 no interface
    privilege configure level 7 no shutdown
    privilege configure level 7 no ip
    privilege configure level 0 no
    privilege exec level 7 configure terminal
    privilege exec level 7 configure
    privilege exec level 7 undebug ip rip
    privilege exec level 7 undebug ip
    privilege exec level 7 undebug all
    privilege exec level 7 undebug
    privilege exec level 7 debug ip rip
    privilege exec level 7 debug ip
    privilege exec level 7 debug all
    privilege exec level 7 debug
    line con 0
    authorization exec VTY
    login authentication VTY
    line aux 0
    line vty 0 4
    authorization exec VTY
    login authentication VTY
    end
    Note: Ensure your user ID in your Radius server has the correct av-pair parameters shell:priv-lvl=15
    P/S: if you think this comment is helpful, please do rate it nicely :-)

  • Cisco Nexus AAA authentication and console access

    We have nexus 7k with AAA authentication working now i have an issue i can't login using console port because my logins are rejected.Is there anyway we can login into console with local login details or we have to use ACS server (AAA) logins when connected to console (while ACS server is still reachable).
    My main question is i want to login using console port while ACS server is still reachable is it possible?

    Perhaps I am not understanding some parts of the original post and if so I would appreciate clarification of what I missed. But it seems to me that the main question in the original post is whether the original poster would be able to login on the console. And it seems to me that the high level answer is that yes login to the console should be possible. The details of how that would work are dependent on details of how the N7K is configured. If the original poster would provide some details of the configuration (especially all of the aaa authentication commands and the configuration of line con 0) we would be in a much better position to provide helpful answers.
    HTH
    Rick

  • AAA authentication when logging into the router via the web browser

    Hi group,
    I am trying to get access the a cisco 2621 via http and authentication
    via AAA but there is something I am not quite understand.
    I am using the freeware TACACS+ server running on RedHat Linux
    Enterprise Server 3.0. I setup the TACACS+ account for myself with
    enable privilege on the TACACS+ box. This account, let call it,
    ddt123, can telnet/ssh into the IOS router and the enable secret
    is associated with this account as setup in TACACS+.
    Here is my configuration looks like on the TACACS+ file:
    [root@dca2-LinuxES tacacs]# more tac_plus.cfg
    accounting file = /var/log/tac_plus.log
    key = zFgGkIooIsZ.Q
    user = ddt123 {
    member = admin
    name = "ddt 123"
    login = cleartext "exec123"
    user = $ddt123$ {
    member = admin
    name = "ddt 123"
    login = cleartext "privi123"
    group = admin {
    default service = permit
    [root@dca2-LinuxES tacacs]#
    Here is my configuration on the IOS device:
    aaa authentication login notac none
    aaa authentication login VTY group tacacs+ local
    aaa authentication login web local enable
    aaa authentication enable default group tacacs+ enable
    aaa authorization console
    aaa authorization config-commands
    aaa authorization exec notac none
    aaa authorization exec VTY group tacacs+ if-authenticated none
    aaa authorization commands 0 VTY group tacacs+ if-authenticated none
    aaa authorization commands 1 VTY group tacacs+ if-authenticated none
    aaa authorization commands 15 VTY group tacacs+ if-authenticated none
    aaa authorization network VTY group tacacs+ if-authenticated none
    aaa accounting exec VTY start-stop group tacacs+
    aaa accounting commands 0 VTY start-stop group tacacs+
    aaa accounting commands 1 VTY start-stop group tacacs+
    aaa accounting commands 15 VTY start-stop group tacacs+
    aaa accounting network VTY start-stop group tacacs+
    aaa accounting connection VTY start-stop group tacacs+
    tacacs-server host 192.168.15.10 key ***
    ip http server
    ip http authentication aaa login-authentication VTY
    line con 0
    exec-timeout 0 0
    authorization exec notac
    accounting commands 0 VTY
    accounting commands 1 VTY
    accounting commands 15 VTY
    accounting exec VTY
    logging synchronous
    login authentication notac
    line vty 0 15
    exec-timeout 0 0
    authorization commands 0 VTY
    authorization commands 1 VTY
    authorization commands 15 VTY
    authorization exec VTY
    accounting commands 0 VTY
    accounting commands 1 VTY
    accounting commands 15 VTY
    accounting exec VTY
    login authentication VTY
    The question I have is that when I open the browser and enter http://router_IP_address,
    the it prompts me for authetication, which password should I use, "exec123" or "privi123"?
    Can someone explain to me how this work, and if it works at all? Thanks.
    David

    here is the "debug aaa authen" and "debug aaa author" on the router:
    C2621#term mon
    C2621#
    Feb 25 23:11:33.967 UTC: AAA/AUTHOR/TAC+: (3081244823): send AV cmd-arg=monitor
    Feb 25 23:11:33.971 UTC: AAA/AUTHOR/TAC+: (3081244823): send AV cmd-arg=
    Feb 25 23:11:34.183 UTC: TAC+: (-1213722473): received author response status = PASS_ADD
    Feb 25 23:11:34.187 UTC: AAA/AUTHOR (3081244823): Post authorization status = PASS_ADD
    Feb 25 23:11:34.187 UTC: AAA/MEMORY: free_user (0x8276F8AC) user='ddt123' ruser='C2621' port='tty66' rem_addr='192.168.15.1' authen_type=ASCII service=NONE priv=0 vrf= (id=0)
    Feb 25 2007 23:11:36 UTC: %SEC-6-IPACCESSLOGP: list 111 permitted tcp 192.168.15.10(49) -> 192.168.15.1(24127), 1 packet
    Feb 25 2007 23:11:38 UTC: %SEC-6-IPACCESSLOGP: list 111 permitted tcp 192.168.15.10(49) -> 192.168.15.1(14840), 1 packet
    Feb 25 23:11:39.248 UTC: AAA/AUTHEN/LOGIN (00000000): Pick method list 'VTY'
    Feb 25 23:11:39.268 UTC: AAA/AUTHOR (00000000): Method=None for method list id=A0000003. Skip author
    Feb 25 2007 23:11:40 UTC: %SEC-6-IPACCESSLOGP: list 111 permitted tcp 192.168.15.10(49) -> 192.168.15.1(36781), 1 packet
    Feb 25 2007 23:11:41 UTC: %SEC-6-IPACCESSLOGP: list 111 permitted udp 192.168.4.10(2537) -> 192.168.15.1(161), 1 packet
    Feb 25 23:11:42.553 UTC: AAA/AUTHEN/LOGIN (00000000): Pick method list 'VTY'
    Feb 25 2007 23:11:43 UTC: %SEC-6-IPACCESSLOGP: list 111 permitted tcp 192.168.15.10(49) -> 192.168.15.1(19535), 1 packetu
    All possible debugging has been turned off
    C2621#
    Feb 25 23:11:46.552 UTC: AAA: parse name=tty66 idb type=-1 tty=-1
    Feb 25 23:11:46.552 UTC: AAA: name=tty66 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=66 channel=0
    Feb 25 23:11:46.552 UTC: AAA/MEMORY: create_user (0x8276AD88) user='ddt123' ruser='C2621' ds0=0 port='tty66' rem_addr='192.168.15.1' authen_type=ASCII service=NONE priv=0 initial_task_id='0', vrf= (id=0)
    Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): Port='tty66' list='VTY' service=CMD
    Feb 25 23:11:46.556 UTC: AAA/AUTHOR/CMD: tty66(1541751897) user='ddt123'
    Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): send AV service=shell
    Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): send AV cmd=undebug
    Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): send AV cmd-arg=all
    Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): send AV cmd-arg=
    Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): found list "VTY"
    Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): Method=tacacs+ (tacacs+)
    Feb 25 23:11:46.560 UTC: AAA/AUTHOR/TAC+: (1541751897): user=ddt123
    Feb 25 23:11:46.560 UTC: AAA/AUTHOR/TAC+: (1541751897): send AV service=shell
    Feb 25 23:11:46.560 UTC: AAA/AUTHOR/TAC+: (1541751897): send AV cmd=undebug
    Feb 25 23:11:46.560 UTC: AAA/AUTHOR/TAC+: (1541751897): send AV cmd-arg=all
    Feb 25 23:11:46.560 UTC: AAA/AUTHOR/TAC+: (1541751897): send AV cmd-arg=
    Feb 25 23:11:46.768 UTC: TAC+: (1541751897): received author response status = PASS_ADD
    Feb 25 23:11:46.772 UTC: AAA/AUTHOR (1541751897): Post authorization status = PASS_ADD
    Feb 25 23:11:46.772 UTC: AAA/MEMORY: free_user (0x8276AD88) user='ddt123' ruser='C2621' port='tty66' rem_addr='192.168.15.1' authen_type=ASCII service=NONE priv=0 vrf= (id=0)no
    Feb 25 2007 23:11:47 UTC: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 976 packets
    C2621#
    David

  • Cisco Nexus to use Radius AAA authentication using Microsoft 2008 NPS

    I have a Nexus 7010 running
    Just wondering if you can help me with something. I'm having an issue with command authorization thru our aaa config. We don't have a problem authenticating its command authorization that is not working. From what I have seen and read Nexus NX-OS 6.x does not have any commands for aaa authorization unless you are configuring TACACS+. My basic config is below if you can help it would be much appreciated.
    >>ip radius source-interface mgmt 0
    >>radius-server key XXXXX
    >>radius-server host X.X.X.X key XXXXX authentication accounting
    >>radius-server host X.X.X.X key XXXXX authentication accounting aaa
    >>authentication login default group Radius_Group aaa authentication
    >>login console local aaa group server radius Radius_Group
    >>    server X.X.X.X
    >>    server X.X.X.X
    >>    source-interface mgmt0
    Also does anyone know how to configure Microsoft 2008 NPS as a Raduis server to work with Nexus? I have read a few post that suggest changing the
    shell:roles="vdc-admin" in the  Attribute Value field in the RADIUS server
    Does anyone know if this works????
    Thanks

    I have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
    Attribute: cisco-av-pair
    Requirement: Mandatory
    Value: shell:roles*"network-admin vdc-admin"
    For more information take a look at this link:
    http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
    Hope this helps
    Thank you for rating helpful posts!

  • NAS configure with 2 ip address failed on AAA authentication

    I have routers configured with 2 bvi interfaces for dlsw.
    When I configure NAS setting with 2 ip address, sometime the AAA authentication failed to prompt for user authentication.
    Should I used ip tacacs source-interface?
    If I configure only one, if that interface is down, then I will not be authentication using AAA even the second bvi interface is up.

    Chee
    The AAA server identifies the client by a single IP address and the client always needs to use that address as the source address. If you have 2 BVI interfaces it may be that sometimes the source address is one and sometimes the source address may be the other. That would account for the fact that sometimes it promts for user authentication and sometimes it does not prompt.
    If using 1 BVI as the source address creates the potential that sometimes it might not work because that interface was down but the other BVI was up, then perhaps you should consider configuring a loopback address and using the loopback address as the source address. If the loopback was the source address then it would not matter which BVI might be up and which might be down.
    HTH
    Rick

  • Fixed ip for vpn user- aaa authenticated

    Hi all,
    i am using asa 5520 as my vpn box. All vpn users login to vpn box associated with a aaa server. The authenticaltion takes place on aaa server. If i use local database for user login, i can assign fixed static ip to the user via its vpn properties. But now i am using aaa for authentication and i want to assign fixed statix IP for some users. How can i do this?

    with local aaa authentication
    go to the user atributes
    like username vpnuser attributes
    vpn-framed-ip-address 192.168.50.1 255.255.255.255
    this will give that ip to that user
    if u are useing cisco ACS
    under the user setting
    go to :
    Assign static IP address-If a specific IP address should be used for this user, click this option and type the IP address in the text box. The IP address assignment in User Setup overrides the IP address assignment in Group Setup
    and the following link give step-by step intstruction to configure cisco ACS AAA
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008007e6a6.html
    good luck
    please, if helpful Rate

  • LMS 3.2 - Problem with inventory of switches using AAA authentication

    Hi all,
    we want to migrate our network equpiment from local authentication (telnet password, enable password) to AAA authentication (Cisco ACS server - username, password for priv level 15). The network devices are managed with CiscoWorks 3.2 and inventory works fine when device login credentials are telnet password, enable password.
    I have configured a switch for testing the authentication to the ACS server, and tested the logon manually. After the successful test I reconfigured the device credentials in CiscoWorks and checked it by a device export with credentials. The credentials in CW were OK, but from this time CiscoWorks could't pull an inventory of the switch any more. Every inventory job failed.
    Any help would be appreciated. Thanks a lot.
    Regards
    fred

    Joe,
    excuse me, I've made a mistake. It's the malfunction of the configuration *archiving* which depends on telnet services. I have included the trace file of the failed CW archiving job. I can see that CW receives the banner and the username prompt, but doesn't send back any telnet credentials. I have also checked the correctness of the device credentials by a DCR export.
    fred

  • AAA authentication for networking devices using ACS 4.1 SE

    Hi!!!
    I want to perform AAA authentication for networking devices using ACS 4.1 SE.
    I do have Cisco 4500, 6500,2960, 3750, 3560, ASA, CSMARS, routers (2821) etc in my network. I want to have radius based authentication for the same.
    I want telnet, ssh has,console attempt to be verified by radius server & if ACS goes down then it will be via local enable passwordf.
    For all users i need to have different privilege levels based upon which access will be granted.
    could u plz send me the config that is required to be done in the active devices as well as ACS!!!!

    Pradeep,
    Are you planning MAC authentication for some users while using EAP for others?
    For MAC authentication, just use the following in your AP.
    aaa authentication login mac_methods group radius
    In your AP, select the radius server for mac authentication. You must have already defined your ACS as a radius server.
    In your SSID configuration, under client authentication settings,
    check "open authentication" and also select "MAC Authentication" from the drop-down list.
    If you want both MAC or EAP, then select "MAC Authentication or EAP" from the dropdown.
    Define the mac address as the username and password in ACS. Make sure the format of the mac is without any spaces.
    You will not need to change anything in XP.
    NOTE: XP normally does not require user authentication if machine has already authenticated but it might behave differently. If it does, I can let you know the registry settings to force the behaviour change.
    HTH

  • AAA Authentication for Traffic Passing through ASA

    I am setting up AAA authentication for traffic that will pass through my ASA. I am having difficulty enabling 'aaa authentication secure-http-client'. Without secure communications enabled access functions as expected. When I enable access, I get prompted for a username/password. The username/password is entered. Authentication passes (show uauth). The requested page (http://www.cisco.com) switches to https://x.x.x.x (a resolved IP address for the site). Eventually (5 seconds), I am asked to accept or deny a certificated. Interestingly, the certificate is for the ASA and not the requested site (http://www.cisco.com).
    Am I missing something?
    firewall# show run aaa
    aaa authentication http console TACACS+ LOCAL
    aaa authentication telnet console TACACS+ LOCAL
    aaa authentication serial console TACACS+ LOCAL
    aaa authentication ssh console TACACS+ LOCAL
    aaa authentication enable console TACACS+ LOCAL
    aaa authentication match guestnetwork_access guestnetwork RADIUS
    aaa authentication secure-http-client
    firewall# show access-li guestnetwork_access
    access-list guestnetwork_access; 2 elements
    access-list guestnetwork_access line 1 extended deny udp 10.255.255.0 255.255.255.0 any eq domain (hitcnt=33)
    access-list guestnetwork_access line 2 extended permit ip 10.255.255.0 255.255.255.0 any (hitcnt=412)
    firewall# show run aaa-s
    aaa-server RADIUS protocol radius
    aaa-server RADIUS (inside) host 192.168.250.14
    key xxxxx
    firewall# show run http
    http server enable

    your definition for the aaa-server is different to the aaa authentication server-group
    try
    aaa authentication http console RADIUS LOCAL
    aaa authentication telnet console RADIUS LOCAL

  • Aaa authentication for https access

    I have several Catalyst 3750 switches that I'm running Tacacs on. I set the switch up to be an http server so that some of our admins could administer the switches through the web gui. Is it possible to login to the web console via your Tacacs login (in our case, our Windows username/password)? I found the "ip http authentication aaa" command but this doesn't seem to do it. I just don't want to share the local passwords if I don't have to.
    Thanks in advance,
    Eric

    My experience of the web interface is that it uses the local password on the device and not the aaa authentication IDs and passwords.
    HTH
    Rick

  • AAA Authentication and VRF-Lite

    Hi!
    I've run into a strange problem, when using AAA Radius authentication and VRF-Lite.
    The setting is as follows. A /31 linknet is setup between PE and CE (7206/g1 and C1812), where PE sub-if is a part of an MPLS VPN, and CE uses VRF-Lite to keep the local services seperated (where more than one VPN is used..).
    Access to the CE, via telnet, console etc, will be authenticated by our RADIUS servers, based on the following setup:
    --> Config Begins <---
    aaa new-model
    aa group server radius radius-auth
    server x.x.4.23 auth-port 1645 acct-port 1646
    server x.x.7.139 auth-port 1645 acct-port 1646
    aaa authentication login default group radius-auth local
    aaa authentication enable default group radius-auth enable
    radius-server host x.x.4.23 auth-port 1645 acct-port 1646 key <key>
    radius-server host x.x.7.139 auth-port 1645 acct-port 1646 key <key>
    ip radius source-interface <outside-if> vrf 10
    ---> Config Ends <---
    The VRF-Lite instance is configured like this:
    ---> Config Begins <---
    ip vrf 10
    rd 65001:10
    ---> Config Ends <---
    Now - if I remove the VRF-Lite setup, and use global routing on the CE (which is okey for a single-vpn setup), the AAA/RADIUS authentication works just fine. When I enable "ip vrf forwarding 10" on the outside and inside interface, the AAA/RADIUS service is unable to reach the two defined servers.
    I compared the routing table when using VRF-Lite and global routing, and they are identical. All routes are imported via BGP correctly, and the service as a whole works without problems, in other words, the AAA/RADIUS part is the only service not working.

    Just wanted to help future people as some of the answers I found here were confusing.
    This is all you need from the AAA perspective:
    aaa new-model
    aaa group server radius RADIUS-VRF-X
    server-private 192.168.1.10 auth-port 1812 acct-port 1813 key 7 003632222D6E3839240475
    ip vrf forwarding X
    aaa authentication login default group RADIUS-VRF-X local
    aaa authorization exec default group X local if-authenticated
    Per VRF AAA reference:
    http://www.cisco.com/c/en/us/td/docs/ios/12_2/12_2b/12_2b4/feature/guide/12b_perv.html#wp1024168

  • Why do we need aaa authentication enable

    Hi all 
    Why do we need the  " aaa authentication enable default group tacacs+ enable" . Is " aaa authentication login default group tacacs+ enable" 
    is not enough ? 
     aaa authentication login default group tacacs+ enable
     aaa authentication enable default group tacacs+ enable
    Thanks 

    Hi jatin ,
    Just for clariffication ,  if i add  " aaa authentication enable default group tacacs+ enable"   , once authenticated  device will go directly to enable mode . 
    As you said  
    aaa authentication login default group tacacs+ local
    in case tacacs failed  user has to enter local username and password . once it is authenticated  
    " aaa authentication enable default group tacacs+ enable " will be executed and the user  have to enter the enable (local db )  secret .
    Please correct me if  iam wrong
    aaa authentication login default group tacacs+ enable
    aaa authentication enable default group tacacs+ enable
    aaa authorization console
    aaa authorization exec default group tacacs+ if-authenticated
    aaa authorization commands 15 default group tacacs+ if-authenticated
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting connection default start-stop group tacacs+

  • IDM Password Reset Authentication Questions

    Hi,
    We are implementing Password Self Service using IDM 7.1, everything is set up and we have tested and were able to reset password for users to connected target systems. we are now doing some cosmetic changes before going live, like
    setting up new authentication questions and changing existing questions from IDM.
    In total we have 10 questions and the way we set it is
    Minimum number of validation questions = 5
    No. of questions to show = 3
    No. of answers required = 3
    After setting all 10 questions, i took a new test id who was never set with a profile and set its profile with 5 random questions answers out of 10 and saved it, went back to   /idm/pwdrest  and entered the unique id which is the user id and the 3 challenge questions it showed up were not the ones i set my answers to.
    Why is it prompting the questions for which i have not set answers to ?
    Can anyone tell me if i am missing any config creating these attributes ?? or its the way IDM works ??
    Thanks.

    Greetings,
    It has been my experience that the system will show any of the available questions when a user has not had any answers set. Sometimes, there is a disconnect with the Unique ID entered and the user ID stored in the identity store and it just cannot find the stored answers. As long as the additional question attributes you created follow the existing convention, they should be fine.
    I would start by looking at what question attributes you have commited for the user and which ones show in the pwdreset task screen for the user. You can also run the guided task several times with the same ID to see what rotation of questions you see to see if it is going through all 10 or only a certain subset.
    Do you have a self-service task configured to set the question answers?
    Thanks,
    Jared

Maybe you are looking for

  • Help With PDF FILE Conversion

    Hi, I've been using Flash Professional CS 5.5 to create a "simple presentation" for a project I want funding for, which must be presented in a PDF format. I used CS5.5 thinking that the simple presentation template and the program in general was simp

  • Last name is incorrect on my Apple Support Community acct. How do I fix it?

    I made a typo in my last name (I know...I know...stupid). I don't see an obvious way to update my Apple Support Community account's last name. Can it be done?

  • OLT - Why can't it find my databank file after I've uploaded it?

    I got this last minute high priority load test dropped in my lap the last second so any help asap would be greatly appriciated! We've started using OpenScript, but not OLT yet so I'm trying to figure this out. All I'm trying to do is run a simple log

  • Progress Bar in Datagrid in flex

    Hi, I have a urgent requirement, which needs to have ProgressBar in DataGrid. I want to set progress for each of the ProgressBar in datagrid to be binded to a cloum (i.e your progress bar column is binded to some object in array collection). Please d

  • Oracle Portal master details default value set up.

    Hi All, Using Oracle Portal to create a master details form. I have tried to set up the details table foreign key. I used the master table primary key as a default value for the details table foreign key. Does anyone know what the correct syntax is w