AAA authentication / Radius-Servers
Hello cisco folks,
Have a technical question I would like to ask. I'm able to setup my 3750e switch to login through a radius server with my company user id and password but would like to be able to set it up that when I log in it drops me on the enable prompt. Right now I have to type >en.
Then the enable password. Thanks in advance.
Paul
Hi Bro
Yes, this can be achieved in Cisco IOS devices but not in Cisco ASA. In Cisco ASA, you still have to type the "enable" command.
Just ensure you've the configuration shown below, and all should be good;
enable password cisco
aaa new-model
aaa authentication login VTY group radius local
aaa authentication login CONSOLE local
aaa authentication enable default group radius enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec VTY group radius local
username ram privilege 15 password 0 cisco
username cisco privilege 7 password 0 cisco
interface FastEthernet0/0
ip address 10.0.0.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip radius source-interface FastEthernet0/0
radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key cisco
privilege interface level 7 shutdown
privilege interface level 7 ip address
privilege interface level 7 ip
privilege interface level 7 no shutdown
privilege interface level 7 no ip address
privilege interface level 7 no ip
privilege interface level 7 no
privilege configure level 7 interface
privilege configure level 7 shutdown
privilege configure level 7 ip
privilege configure level 7 no interface
privilege configure level 7 no shutdown
privilege configure level 7 no ip
privilege configure level 0 no
privilege exec level 7 configure terminal
privilege exec level 7 configure
privilege exec level 7 undebug ip rip
privilege exec level 7 undebug ip
privilege exec level 7 undebug all
privilege exec level 7 undebug
privilege exec level 7 debug ip rip
privilege exec level 7 debug ip
privilege exec level 7 debug all
privilege exec level 7 debug
line con 0
authorization exec VTY
login authentication VTY
line aux 0
line vty 0 4
authorization exec VTY
login authentication VTY
end
Note: Ensure your user ID in your Radius server has the correct av-pair parameters shell:priv-lvl=15
P/S: if you think this comment is helpful, please do rate it nicely :-)
Similar Messages
-
Cisco Nexus to use Radius AAA authentication using Microsoft 2008 NPS
I have a Nexus 7010 running
Just wondering if you can help me with something. I'm having an issue with command authorization thru our aaa config. We don't have a problem authenticating its command authorization that is not working. From what I have seen and read Nexus NX-OS 6.x does not have any commands for aaa authorization unless you are configuring TACACS+. My basic config is below if you can help it would be much appreciated.
>>ip radius source-interface mgmt 0
>>radius-server key XXXXX
>>radius-server host X.X.X.X key XXXXX authentication accounting
>>radius-server host X.X.X.X key XXXXX authentication accounting aaa
>>authentication login default group Radius_Group aaa authentication
>>login console local aaa group server radius Radius_Group
>> server X.X.X.X
>> server X.X.X.X
>> source-interface mgmt0
Also does anyone know how to configure Microsoft 2008 NPS as a Raduis server to work with Nexus? I have read a few post that suggest changing the
shell:roles="vdc-admin" in the Attribute Value field in the RADIUS server
Does anyone know if this works????
ThanksI have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
Attribute: cisco-av-pair
Requirement: Mandatory
Value: shell:roles*"network-admin vdc-admin"
For more information take a look at this link:
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
Hope this helps
Thank you for rating helpful posts! -
AAA authentication with RADIUS
Hi,
aaa authentication login user-list group radius local
radius-server host 10.1.1.3 auth-port 1645 acct-port 1646 key xxxx
radius-server deadtime 10
If i add more radius-server host such as
radius-server host 10.1.1.4 auth-port 1645 acct-port 1646 key xxxx
1. Server 10.1.1.4 will be backup for server 10.1.1.3?
2. Can i configure to be radius group?
ThanksHi,
you can try the following:
Router(config)# aaa group server radius
Router(config-sg radius)# server 10.1.1.3
Router(config-sg radius)# server 10.1.1.4
when you configure the aaa group like this 10.1.1.3 will be primary and 10.1.1.4 is secondary
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts. -
Cisco AAA authentication with windows radius server
Cisco - Windows Radius problems
I need to created a limited access group through radius that I can have new network analysts log into
and not be able to commit changes or get into global config.
Here are my current radius settings
aaa new-model
aaa group server radius IAS
server name something.corp
aaa authentication login USERS local group IAS
aaa authorization exec USERS local group IAS
radius server something.corp
address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
key mypassword
line vty 0 4
access-class 1 in
exec-timeout 0 0
authorization exec USERS
logging synchronous
login authentication USERS
transport input ssh
When I log in to the switch, the radius server is passing the corrrect attriubute
***Jan 21 13:59:51.897: RADIUS: Cisco AVpair [1] 18 "shell:priv-lvl=7"
The switch is accepting it and putting you in the correct priv level.
***Radius-Test#sh priv
Current privilege level is 7
I am not sure why it logs you in with the prompt for privileged EXEC mode when
you are in priv level 7. This shows that even though it looks like your in priv exec
mode, you are not.
***Radius-Test#sh run
^
% Invalid input detected at '^' marker.
Radius-Test#
Now this is where I am very lost.
I am in priv level 7, but as soon as I use the enable command It moves me up to 15, and that gives me access to
global config mode.
***Radius-Test#enable
Radius-Test#
Debug log -
Jan 21 14:06:28.689: AAA/MEMORY: free_user (0x2B46E268) user='reynni10'
ruser='NULL' port='tty390' rem_addr='10.100.158.83' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
Now it doesnt matter that I was given priv level 7 by radius because 'enable' put me into priv 15
***Radius-Test#sh priv
Current privilege level is 15
Radius-Test#
I have tried to set
***privilege exec level 15 enable
It works and I am no longer able to use 'enable' when I am at prv level 7, but I also cannot get the commands they will need to work.
Even if I try to do
***privilege exec level 7 show running-config (or other variations)
It will allow you to type sh run without errors, but it doest actually run the command.
What am I doing wrong?
I also want to get PKI working with radius.I can run a test on my radius system, will report back accordingly, as it's a different server than where I am currently located.
Troubleshooting, have you deleted the certificate/network profile on the devices and started from scratch? -
Dot1x with port security and redundant radius servers
I have a strange issue with my dot1x port authentication. I have two radius servers configured in my switch for redundancy, and on my switchport I have a Cisco IP phone and a PC. Testing redundnacy with the radius servers, when I have both servers active and running, the port authentication works fine for both phone and pc. When I fail the radius servers in the configuration, by disconnecting the NIC on it, the switch goes to the surviving radius server and authenticates, (I can see it in the running log) both the phone and PC get an access-accept, but only the phone works on the network and the port light stays amber showing it's blocking for the pc. Strange, since it showed an accept on the radius server.
This only seems to happen when the first one on the list is failed. When the second one is failed, it obviously won't need to try it, so there's not an issue. Any ideas?
Here's the setup and configs:
freeradius 2.1.12-4
cisco 3560
Switch Ports Model SW Version SW Image
* 1 52 WS-C3560G-48PS 12.2(53)SE2 C3560-IPBASEK9-M
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
interface GigabitEthernet0/1
switchport access vlan 100
switchport mode access
switchport voice vlan 110
authentication event no-response action authorize vlan 901
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
authentication violation protect
mab
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 1
no mdix auto
spanning-tree portfast
radius-server host 10.90.1.88 auth-port 1645 acct-port 1646 key 7 xxx
radius-server host 10.90.1.85 auth-port 1645 acct-port 1646 key 7 xxx
Here's an authentication string from the radius server:
(there are two mac address. The first one 00.13 is the PC and the second 30.37 is the phone)
rad_recv: Access-Request packet from host 10.90.100.7 port 1645, id=204, length=160
User-Name = "001372b639a6"
User-Password = "001372b639a6"
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = "9C-AF-CA-23-D9-01"
Calling-Station-Id = "00-13-72-B6-39-A6"
Message-Authenticator = 0xfeef777a8033c24934306b3cce78c8f1
NAS-Port-Type = Ethernet
NAS-Port = 50001
NAS-Port-Id = "GigabitEthernet0/1"
NAS-IP-Address = 10.90.100.7
Wed Sep 18 10:48:06 2013 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default
Wed Sep 18 10:48:06 2013 : Info: +- entering group authorize {...}
Wed Sep 18 10:48:06 2013 : Info: ++[preprocess] returns ok
Wed Sep 18 10:48:06 2013 : Info: ++[chap] returns noop
Wed Sep 18 10:48:06 2013 : Info: ++[mschap] returns noop
Wed Sep 18 10:48:06 2013 : Info: ++[digest] returns noop
Wed Sep 18 10:48:06 2013 : Info: [suffix] No '@' in User-Name = "001372b639a6", looking up realm NULL
Wed Sep 18 10:48:06 2013 : Info: [suffix] No such realm "NULL"
Wed Sep 18 10:48:06 2013 : Info: ++[suffix] returns noop
Wed Sep 18 10:48:06 2013 : Info: [eap] No EAP-Message, not doing EAP
Wed Sep 18 10:48:06 2013 : Info: ++[eap] returns noop
Wed Sep 18 10:48:06 2013 : Info: [sql] expand: %{User-Name} -> 001372b639a6
Wed Sep 18 10:48:06 2013 : Info: [sql] sql_set_user escaped user --> '001372b639a6'
Wed Sep 18 10:48:06 2013 : Debug: rlm_sql (sql): Reserving sql socket id: 3
Wed Sep 18 10:48:06 2013 : Info: [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '001372b639a6' ORDER BY id
Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '001372b639a6' ORDER BY id
Wed Sep 18 10:48:06 2013 : Info: [sql] User found in radcheck table
Wed Sep 18 10:48:06 2013 : Info: [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '001372b639a6' ORDER BY id
Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '001372b639a6' ORDER BY id
Wed Sep 18 10:48:06 2013 : Info: [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '001372b639a6' ORDER BY priority
Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = '001372b639a6' ORDER BY priority
Wed Sep 18 10:48:06 2013 : Debug: rlm_sql (sql): Released sql socket id: 3
Wed Sep 18 10:48:06 2013 : Info: ++[sql] returns ok
Wed Sep 18 10:48:06 2013 : Info: ++[expiration] returns noop
Wed Sep 18 10:48:06 2013 : Info: ++[logintime] returns noop
Wed Sep 18 10:48:06 2013 : Info: ++[pap] returns updated
Wed Sep 18 10:48:06 2013 : Info: Found Auth-Type = PAP
Wed Sep 18 10:48:06 2013 : Info: # Executing group from file /etc/raddb/sites-enabled/default
Wed Sep 18 10:48:06 2013 : Info: +- entering group PAP {...}
Wed Sep 18 10:48:06 2013 : Info: [pap] login attempt with password "001372b639a6"
Wed Sep 18 10:48:06 2013 : Info: [pap] Using clear text password "001372b639a6"
Wed Sep 18 10:48:06 2013 : Info: [pap] User authenticated successfully
Wed Sep 18 10:48:06 2013 : Info: ++[pap] returns ok
Wed Sep 18 10:48:06 2013 : Info: # Executing section post-auth from file /etc/raddb/sites-enabled/default
Wed Sep 18 10:48:06 2013 : Info: +- entering group post-auth {...}
Wed Sep 18 10:48:06 2013 : Info: ++[exec] returns noop
Sending Access-Accept of id 204 to 10.90.100.7 port 1645
Wed Sep 18 10:48:06 2013 : Info: Finished request 0.
Wed Sep 18 10:48:06 2013 : Debug: Going to the next request
Wed Sep 18 10:48:06 2013 : Debug: Waking up in 4.9 seconds.
Wed Sep 18 10:48:11 2013 : Info: Cleaning up request 0 ID 204 with timestamp +77
Wed Sep 18 10:48:11 2013 : Info: Ready to process requests.
rad_recv: Access-Request packet from host 10.90.100.7 port 1645, id=205, length=160
User-Name = "3037a616cd49"
User-Password = "3037a616cd49"
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = "9C-AF-CA-23-D9-01"
Calling-Station-Id = "30-37-A6-16-CD-49"
Message-Authenticator = 0xc9173e759dd759b9d414d192783e8a8e
NAS-Port-Type = Ethernet
NAS-Port = 50001
NAS-Port-Id = "GigabitEthernet0/1"
NAS-IP-Address = 10.90.100.7
Wed Sep 18 10:48:13 2013 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default
Wed Sep 18 10:48:13 2013 : Info: +- entering group authorize {...}
Wed Sep 18 10:48:13 2013 : Info: ++[preprocess] returns ok
Wed Sep 18 10:48:13 2013 : Info: ++[chap] returns noop
Wed Sep 18 10:48:13 2013 : Info: ++[mschap] returns noop
Wed Sep 18 10:48:13 2013 : Info: ++[digest] returns noop
Wed Sep 18 10:48:13 2013 : Info: [suffix] No '@' in User-Name = "3037a616cd49", looking up realm NULL
Wed Sep 18 10:48:13 2013 : Info: [suffix] No such realm "NULL"
Wed Sep 18 10:48:13 2013 : Info: ++[suffix] returns noop
Wed Sep 18 10:48:13 2013 : Info: [eap] No EAP-Message, not doing EAP
Wed Sep 18 10:48:13 2013 : Info: ++[eap] returns noop
Wed Sep 18 10:48:13 2013 : Info: [sql] expand: %{User-Name} -> 3037a616cd49
Wed Sep 18 10:48:13 2013 : Info: [sql] sql_set_user escaped user --> '3037a616cd49'
Wed Sep 18 10:48:13 2013 : Debug: rlm_sql (sql): Reserving sql socket id: 2
Wed Sep 18 10:48:13 2013 : Info: [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '3037a616cd49' ORDER BY id
Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '3037a616cd49' ORDER BY id
Wed Sep 18 10:48:13 2013 : Info: [sql] User found in radcheck table
Wed Sep 18 10:48:13 2013 : Info: [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '3037a616cd49' ORDER BY id
Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '3037a616cd49' ORDER BY id
Wed Sep 18 10:48:13 2013 : Info: [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '3037a616cd49' ORDER BY priority
Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = '3037a616cd49' ORDER BY priority
Wed Sep 18 10:48:13 2013 : Debug: rlm_sql (sql): Released sql socket id: 2
Wed Sep 18 10:48:13 2013 : Info: ++[sql] returns ok
Wed Sep 18 10:48:13 2013 : Info: ++[expiration] returns noop
Wed Sep 18 10:48:13 2013 : Info: ++[logintime] returns noop
Wed Sep 18 10:48:13 2013 : Info: ++[pap] returns updated
Wed Sep 18 10:48:13 2013 : Info: Found Auth-Type = PAP
Wed Sep 18 10:48:13 2013 : Info: # Executing group from file /etc/raddb/sites-enabled/default
Wed Sep 18 10:48:13 2013 : Info: +- entering group PAP {...}
Wed Sep 18 10:48:13 2013 : Info: [pap] login attempt with password "3037a616cd49"
Wed Sep 18 10:48:13 2013 : Info: [pap] Using clear text password "3037a616cd49"
Wed Sep 18 10:48:13 2013 : Info: [pap] User authenticated successfully
Wed Sep 18 10:48:13 2013 : Info: ++[pap] returns ok
Wed Sep 18 10:48:13 2013 : Info: # Executing section post-auth from file /etc/raddb/sites-enabled/default
Wed Sep 18 10:48:13 2013 : Info: +- entering group post-auth {...}
Wed Sep 18 10:48:13 2013 : Info: ++[exec] returns noop
Sending Access-Accept of id 205 to 10.90.100.7 port 1645
Cisco-AVPair = "device-traffic-class=voice"
Wed Sep 18 10:48:13 2013 : Info: Finished request 1.
Wed Sep 18 10:48:13 2013 : Debug: Going to the next request
Wed Sep 18 10:48:13 2013 : Debug: Waking up in 4.9 seconds.
Wed Sep 18 10:48:18 2013 : Info: Cleaning up request 1 ID 205 with timestamp +84
Wed Sep 18 10:48:18 2013 : Info: Ready to process requests.
Thanks!802.1X support requires an authentication server that is configured for Remote Authentication Dial-In User Service (RADIUS). 802.1X authentication does not work unless the network access switch can route packets to the configured RADIUS server.
Please check the below links which can be helpful in configurations:
Link-1
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/50sg/configuration/guide/dot1x.html -
How to set two radius servers one is window NPS another is cisco radius server
how to set two radius servers one is window NPS another is cisco radius server
when i try the following command, once window priority is first , i type cisco radius user name, it authenticated fail
i can not use both at the same time
radius-server host 192.168.1.3 is window NPS
radius-server host 192.168.1.1 is cisco radius
http://blog.skufel.net/2012/06/how-to-integrating-cisco-devices-access-with-microsoft-npsradius/
conf t
no aaa authentication login default line
no aaa authentication login local group radius
no aaa authorization exec default group radius if-authenticated
no aaa authorization network default group radius
no aaa accounting connection default start-stop group radius
aaa new-model
aaa group server radius IAS
server 192.168.1.1 auth-port 1812 acct-port 1813
server 192.168.1.3 auth-port 1812 acct-port 1813
aaa authentication login userAuthentication local group IAS
aaa authorization exec userAuthorization local group IAS if-authenticated
aaa authorization network userAuthorization local group IAS
aaa accounting exec default start-stop group IAS
aaa accounting system default start-stop group IAS
aaa session-id common
radius-server host 192.168.1.1 auth-port 1812 acct-port 1813
radius-server host 192.168.1.2 auth-port 1812 acct-port 1813
radius-server host 192.168.1.3 auth-port 1645 acct-port 1646
radius-server host 192.168.1.3 auth-port 1812 acct-port 1813
privilege exec level 1 show config
ip radius source-interface Gi0/1
line vty 0 4
authorization exec userAuthorization
login authentication userAuthentication
transport input telnet
line vty 5 15
authorization exec userAuthorization
login authentication userAuthentication
transport input telnet
end
conf t
aaa group server radius IAS
server 192.168.1.3 auth-port 1812 acct-port 1813
server 192.168.1.1 auth-port 1812 acct-port 1813
endThe first AAA server listed in your config will always be used unless/until it becomes unavailable. At that point the NAD would move down to the next AAA server defined on the list and use that one until it becomes unavailable and then move to third one, and so on.
If you want to use two AAA servers at the same time then you will need to put a load balancer in front of them. Then the virtual IP (vip) will be listed in the NADs vs the individual AAA servers' IPs.
I hope this helps!
Thank you for rating helpful posts! -
AAA Authentication and VRF-Lite
Hi!
I've run into a strange problem, when using AAA Radius authentication and VRF-Lite.
The setting is as follows. A /31 linknet is setup between PE and CE (7206/g1 and C1812), where PE sub-if is a part of an MPLS VPN, and CE uses VRF-Lite to keep the local services seperated (where more than one VPN is used..).
Access to the CE, via telnet, console etc, will be authenticated by our RADIUS servers, based on the following setup:
--> Config Begins <---
aaa new-model
aa group server radius radius-auth
server x.x.4.23 auth-port 1645 acct-port 1646
server x.x.7.139 auth-port 1645 acct-port 1646
aaa authentication login default group radius-auth local
aaa authentication enable default group radius-auth enable
radius-server host x.x.4.23 auth-port 1645 acct-port 1646 key <key>
radius-server host x.x.7.139 auth-port 1645 acct-port 1646 key <key>
ip radius source-interface <outside-if> vrf 10
---> Config Ends <---
The VRF-Lite instance is configured like this:
---> Config Begins <---
ip vrf 10
rd 65001:10
---> Config Ends <---
Now - if I remove the VRF-Lite setup, and use global routing on the CE (which is okey for a single-vpn setup), the AAA/RADIUS authentication works just fine. When I enable "ip vrf forwarding 10" on the outside and inside interface, the AAA/RADIUS service is unable to reach the two defined servers.
I compared the routing table when using VRF-Lite and global routing, and they are identical. All routes are imported via BGP correctly, and the service as a whole works without problems, in other words, the AAA/RADIUS part is the only service not working.Just wanted to help future people as some of the answers I found here were confusing.
This is all you need from the AAA perspective:
aaa new-model
aaa group server radius RADIUS-VRF-X
server-private 192.168.1.10 auth-port 1812 acct-port 1813 key 7 003632222D6E3839240475
ip vrf forwarding X
aaa authentication login default group RADIUS-VRF-X local
aaa authorization exec default group X local if-authenticated
Per VRF AAA reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_2/12_2b/12_2b4/feature/guide/12b_perv.html#wp1024168 -
5508 WLC version 7.6 maximum RADIUS Servers
Hi All,
Is there a maximum limit for RADIUS Servers that we can configure for Authentication under Security TAB in WLC 5508/8500 with version 7.6?
We have 6 RADIUS Servers that needs to be configured for WLAN Client Authentication.
Thanks,
CJIIRC the limit is 16 servers on the WLC. but you can only call up to three under the WLAN itself.
If you need to be able to failover to anything beyond 3, than check the network user box in the AAA server configuration to make it globally available.
HTH,
Steve -
I'm trying to set up authentication using a PIX 525 for some of our web servers. In preparation, I'm testing it on a PIX 515. For testing purposes, I'm not using a RADIUS or TACACS server.
I've implemented the following commands:
aaa-server LOCAL protocol local
access-list authlist permit tcp any any eq www
aaa authentication match authlist outside LOCAL
When these commands are used, authentication works as advertised. When I change the access-list to:
access-list authlist permit tcp any host 192.168.1.2 eq www
where 192.168.1.2 is a webserver, authentication does not occur. (We want to require authentication for some web servers but not others.) I've tried variations of the commmand but none has worked. The PIX just passes all traffic.
Any ideas?
NoahHi,
Solution lies in, from where you are trying to access the server? and where you have applied the authentication to occur?
192.168.1.2 definitely doesn't appears to be a global ip (if you are not working in a test scenario)
outside in the authentication statement means that we want authentication to happen for all the traffic coming in on Outside interface to authenticate.
Little topology detail will help.
Regards,
Prem -
AAA authentication for networking devices using ACS 4.1 SE
Hi!!!
I want to perform AAA authentication for networking devices using ACS 4.1 SE.
I do have Cisco 4500, 6500,2960, 3750, 3560, ASA, CSMARS, routers (2821) etc in my network. I want to have radius based authentication for the same.
I want telnet, ssh has,console attempt to be verified by radius server & if ACS goes down then it will be via local enable passwordf.
For all users i need to have different privilege levels based upon which access will be granted.
could u plz send me the config that is required to be done in the active devices as well as ACS!!!!Pradeep,
Are you planning MAC authentication for some users while using EAP for others?
For MAC authentication, just use the following in your AP.
aaa authentication login mac_methods group radius
In your AP, select the radius server for mac authentication. You must have already defined your ACS as a radius server.
In your SSID configuration, under client authentication settings,
check "open authentication" and also select "MAC Authentication" from the drop-down list.
If you want both MAC or EAP, then select "MAC Authentication or EAP" from the dropdown.
Define the mac address as the username and password in ACS. Make sure the format of the mac is without any spaces.
You will not need to change anything in XP.
NOTE: XP normally does not require user authentication if machine has already authenticated but it might behave differently. If it does, I can let you know the registry settings to force the behaviour change.
HTH -
AAA Authentication for Traffic Passing through ASA
I am setting up AAA authentication for traffic that will pass through my ASA. I am having difficulty enabling 'aaa authentication secure-http-client'. Without secure communications enabled access functions as expected. When I enable access, I get prompted for a username/password. The username/password is entered. Authentication passes (show uauth). The requested page (http://www.cisco.com) switches to https://x.x.x.x (a resolved IP address for the site). Eventually (5 seconds), I am asked to accept or deny a certificated. Interestingly, the certificate is for the ASA and not the requested site (http://www.cisco.com).
Am I missing something?
firewall# show run aaa
aaa authentication http console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authentication serial console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication match guestnetwork_access guestnetwork RADIUS
aaa authentication secure-http-client
firewall# show access-li guestnetwork_access
access-list guestnetwork_access; 2 elements
access-list guestnetwork_access line 1 extended deny udp 10.255.255.0 255.255.255.0 any eq domain (hitcnt=33)
access-list guestnetwork_access line 2 extended permit ip 10.255.255.0 255.255.255.0 any (hitcnt=412)
firewall# show run aaa-s
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.250.14
key xxxxx
firewall# show run http
http server enableyour definition for the aaa-server is different to the aaa authentication server-group
try
aaa authentication http console RADIUS LOCAL
aaa authentication telnet console RADIUS LOCAL -
[Cisco ACS] 11036 The Message-Authenticator RADIUS attribute is invalid
Hi,
I got many Cisco AP which are linked to 2 Cisco WLC.
On each WLC, I configured a primary and a secondary RADIUS Server.
RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)
Primary and secondary ACS configurations are synchronized.
There are no problem between primary WLC and Cisco ACS (primary and secondary).
When secondary WLC requests primary Cisco ACS, I get this error "11036 The Message-Authenticator RADIUS attribute is invalid"
Secondary WLC automatically contacts secondary Cisco ACS and it works fine.
Cisco ACS description for this error: "This maybe because of mismatched Shared Secrets."
The two Cisco ACS are synchronized so I should have same error on them...
Why does primary ACS generate this error?
Thanks for your help,
PatrickTarik Admani wrote:Amjad,That is a good observation, shouldnt 7.3 (which recently released) help put these types of issues to rest? I hear that the configuration can now be replicated from one controller to the next in a failover setup.Thanks,Tarik Admani
*Please rate helpful posts*
Yes. That is a good point.
With 7.3 you can use high availability (HA) between two WLCs and you can configure only one WLC (the primary) and all the configuraiotn can be replicated and synched to the other WLC (the secondary).
The two WLCs in the HA must be on same subnet though. Otherwise hot-standby HA between WLCs can't be used.
Rating useful replies is more useful than saying "Thank you" -
AAA using Radius with 802.1x
Hello there,
We're going to be implementing 802.1x on our network of some reaallly old switches (6509 Cat OS with MSFC 2). We use radius for AAA authentication and I've been reading that .1x uses radius. How is that going to work? Do I just add another radius server in my radius server command and, more importantly, will .1x work on Cat OS running 8.2.1? I've been trowling the forums and I can't seem to find anyone who's actually running .1x on the old Cat OS switches to see what kind of gotchas I can expect to run into.
Any advise, assistance would be greatly appreciated!
Thanks
KileySalodh,
Thanks but that document is for a 2950 and we have a 6509 but, the good thing is I just found out our Tier 3 engineers will not be adding dot1x to the 6509 since it has only trunks - no access ports. Thanks very much for your reply! -
GOod morning all,
I am trying to configure AAA using RADIUS with ACS 4.1 SE and various Cisco Devices. I have configured the ACS to perform group mapping on personnel who I want to give access privileges. What I would like to do is give that group privilege level 15 and do away with enable passwords. However, I need local level authentication for our console options with enable privileges. Can this be done? Any help would be appreciated.
DwaneFor routers and IOS switches:
aaa new-model
aaa authentication banner *Unauthorized Access Prohibited*
aaa authentication login default group radius
radius-server host 10.10.10.10 (your acs device)
radius-server key cisco123
radius-server configure-nas
username nmg password telnet
aaa authentication ppp dialins group radius local
aaa authentication login nmg local
aaa authorization network default group radius local
aaa accounting network default start-stop group radius
aaa processes 16
line 1 16
login authentication
For CatOS switches:
Set radius-server 10.10.10.10
show radius
set radius key cisco123
set authentication login radius enable
set authentication enable radius enable
show authentication
set radius timeout 5
set radius retransmit 3
set radius deadtime 3
For Pix Firewalls:
aaa authentication ssh console radius LOCAL
aaa authentication telnet console radius LOCAL
aaa-server radgroup protocol RADIUS
max-failed-attempts 2
reactivation-mode depletion deadtime 5
exit
(NOTE: This will depending on the location of the pix firewall)
aaa-server radgroup (inside) host 10.10.10.10
key XXXXXXX
exit
aaa-server radgroup(inside) host 10.10.10.10
key XXXXXX
exit
This is pretty much what we used for configurations on our test. It looks like most of your switches are IOS based so that will be nice for you.
If you are using local authentication, you can create a group and assign the local addresses to that group. What I did in the radius IETF attribute, you ensure that [006] Service-Type is checked and scroll down to Administrative and click Submit & Restart.
Hope this helps some. I had alot of help from Cisco TAC on this.
Dwane -
We are configuring 802.1x for wired client. ISE is our AAA server. While configuring, i came across 3 different command sets
1) radius-server host <primary aaa server> auth-port 1812 acct-port 1813
radius-server host <secondary aaa server> auth-port 1812 acct-port 1813
radius server key <shared_key>
2) aaa group server radius < RADIUS group name>
server <Primary Radius Server IP> auth-port 1812 acct-port 1813
server <Secondary Radius Server IP> auth-port 1812 acct-port 1813
3) aaa server radius dynamic-author
client <Primary Server> server-key <radius_key>
client <Secondary Server> server-key <radius_key>
Now, we already created aaa server group in step 2.
what is the significance of step 3. if i don't add client under dynamic-author, what effect it will have on overall configuration. Will CoA affect in posture due to this
Thanks,
AdityaHello Aditya-
The commands in step #3 configure the NAD (In your case the switch) to accept CoA (Change of Authorization) which is used for 802.1x based network authentications. If you are only interested in configuring the switch for device administration then you don't need those commands, however, if you are planning on deploying 802.1x then you do need them. For more info check out this link:
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-731907.html
Thank you for rating helpful posts!
Maybe you are looking for
-
I have this working, but only by completely bypassing access control, using guest access with read+write permissions. Do I need to buy Lion Server, to do this. All my past unix/linux experience says Lion Server should _not_ be necessary. This seems l
-
After Effects 7.0 keeps crashing (0::42)
Hi there, I'm working with AE 7.0 and everytime I try to render a project, AE keeps crashing. (After Effects can't continue... or something similar) Today it even crashed while adjusting my preferences... I'm trying to render a 9 min composition cons
-
Password self-service workflow message
Hello Where in configuration do I go to change the password self-service workflow message: "Your password has been reset. Your password is..." I know where these messages are for provisioning, but not sure where to go for p/w s-s. Thanks JD
-
My Oracle guide said to open a web browser and type the following: http://server_name:5500/em server_name being the computer name. This does not work. Does anyone have suggestions? Thanks.
-
XZ-1 Orange color not accurate?
Hi, I just searched the forum, nobody seems to raise this issue yet. I have an Olympus XZ-1, after I use Lightroom 6.4 RC for a few days, I realize that the orange color developed in RAW is noticibly different from the Jpeg color. At beginning, I tho