Aaa authentication serial console LOCAL did not work!!
Hypertermed in and the console came right up. Privileged Exec mode does require a password but logging out (disable) requires username and password.
Also, neither the exec nor MOTD banners work but guess what, they show up upon logout as well ...
Ponderous, really ponderous.
ej
Hello,
It's an ASA 5505 and I'm currently on ver 8.2(5). I was on 9.2(2) but reset back to factory default out of frustration.
Similar Messages
-
Aaa authentication enable console issue
I have an ASA5505 running 8.2(5). It is configured with
aaa authentication telnet console xxxxxx LOCAL
and I am able to use my username and password to telnet in, but I then have to use the local enable password to get to privilege exec mode.
I tried configuring aaa authentication enable console xxxxxx LOCAL so that when I try to access privilege exec mode,I would be prompted for my password instead of the enable password, but it doesn't work.
I also tried removing the aaa authentication telnet console xxxxxx LOCAL and telenetted in with the local passwd.
I was prompted for a username and password when trying to get to priv exec mode, but again, the credentials did not work.
Could there be something that needs to be changed on the ACS server to make this work?
Thanks.Using TACACS+
No command authorization rules are being used
When I add the aaa authentication enable console xxxxxxxx LOCAL command,
and use login instead of enable, I get Login failed if I try to use my credentials.
However, if I use login with the locally configured username and password, it lets me in.
Here is the config (without the aaa authentication enable console command):
User Access Verification
Username: xxx/xxxxxxxxxx
Password: ************
Type help or '?' for a list of available commands.
FW> en
Password: ********
FW# sh ru
: Saved
ASA Version 8.2(5)
terminal width 511
hostname xxxxxxxx
enable password *********** encrypted
passwd *********** encrypted
names
interface Ethernet0/0
switchport access vlan xxx
interface Ethernet0/1
switchport access vlan xxx
shutdown
interface Ethernet0/2
switchport access vlan xxx
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlanxxx
nameif inside
security-level 100
ip address x.x.x.x x.x.x.x
interface Vlanxxx
nameif OUtside
security-level 0
ip address x.x.x.x x.x.x.x
ftp mode passive
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
group-object TCPUDP
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object udp
protocol-object tcp
group-object TCPUDP
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object udp
protocol-object tcp
access-list Outside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 a
ny any inactive
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 a
ny any
access-list OUtside_access_in extended permit object-group DM_INLINE_PROTOCOL_1
any any inactive
access-list OUtside_access_in extended permit icmp any any
access-list OUtside_access_in extended permit object-group DM_INLINE_PROTOCOL_3
any any
pager lines 24
logging enable
logging asdm informational
logging host inside x.x.x.x
mtu inside 1500
mtu OUtside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group inside_access_in in interface inside
access-group OUtside_access_in in interface OUtside
route inside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server xxxxxxxxx protocol tacacs+
aaa-server xxxxxxxxx (inside) host x.x.x.x
key *****
aaa-server xxxxxxxxx (inside) host x.x.x.x
key *****
aaa-server xxxxxxxxx (inside) host x.x.x.x
key *****
aaa authentication http console ******* LOCAL
aaa authentication ssh console ******* LOCAL
aaa authentication telnet console ******* LOCAL
aaa local authentication attempts max-fail 5
http server enable
http x.x.x.x x.x.x.x inside
http x.x.x.x x.x.x.x inside
snmp-server host inside x.x.x.x community ***** version 2c
snmp-server host OUtside x.x.x.x community ***** version 2c
snmp-server host inside x.x.x.x community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet x.x.x.x x.x.x.x inside
telnet x.x.x.x x.x.x.x inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config OUtside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username ******* password ************** encrypted privilege 15
username ******* password ************** encrypted privilege 15
username ******* password ************** encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:
: end
FW#
Thanks. -
No AAA authentication on Console port
I would like to configure our routers to use our ACS server for authentication and enable authorization for all telnet access but not use the ACS when connected to the console port. I was able to get the router configured so that console username and password access was local. However, when I attempt to go into enable mode from the console port the router still goes after the ACS server for the enble password. How do I get around this?
--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --
Thanks this does help. However, I'm still running into and issue. My ultimate goal is to have all users authenticate and get enable access through our ACS server based on there corporate NT domain username/pw. If the ACS server is unavailable go to the local data base. This is working fine for user telneting to the routers and also works for the console port (if the ACS server is unavailable).
However, with the ACS server active, when I console in I authenticate based on the local database admin/cisco. But when I attempt to go into enable mode the router still goes after the ACS server for a password. I would like console port users to always use the local enable password.
I'm just trying to protect myself from a possible misbehaved ACS server.
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login console local
aaa authentication enable default group tacacs+ enable
aaa authorization exec console local
enable secret 5 --moderator edit--
username --moderator edit--privilege 15 password 0 --moderator edit--
line con 0
exec-timeout 300 0
authorization exec console
login authentication console
line aux 0
line vty 0 4
password --moderator edit-- -
Aaa authentication enable console (server_name) password issue
Here is the problem I am experiencing and I hope someone out there is able to help;
I have a ASA5510 (running software Version 8.0(3)). I have enabled remote authentication to our company's TACAC server (which is running TACAC open source supplied by Cisco).
The problem is as follows;
I can telnet to the appliance remote and using my username and password (configured on the TACAC server) I am authenticated. But after entering enable - I am prompted with the password prompt. But I can not get pass this prompt. I have tried the same password as I previous enter at the telnet prompt and failed, the local enable password fails as well. Any suggestion.
aaa-server (server_name) protocol tacacs+
aaa-server (server_name) (interlinkport) host (Address)
key (password)
aaa authentication enable console (server_name) LOCAL
aaa authentication enable console (server_name) LOCAL
aaa authentication http console (server_name) LOCAL
aaa authentication serial console (server_name) LOCAL
aaa authentication ssh console (server_name) LOCAL
aaa authentication telnet console (server_name) LOCAL
aaa accounting command privilege 15 (server_name)
aaa authorization exec authentication-serverI think I can help you here since I've been using Cisco
Freeware TACACS+ for almost 7 years now. I am not
an expert, just enough to be dangerous.
Since the code is open-source, each company uses
differently; however, there is one thing that will
always true. That would be the the enable.c file,
which is a C program. You would need to modify
this file so that EVERYONE can have his/her own
enable password, just like Cisco ACS running on
Windows platforms.
the configuration file would look something like this:
accounting file = /var/log/tac_plus.log
key = zFgGkIooIsZ.Q
user = cciesec {
member = admin
name = "ccie security"
login = cleartext "cciesec"
user = $cciesec$ {
member = admin
name = "ccie security"
login = cleartext "cciesec1"
group = admin {
default service = permit
On the Pix:
aaa-server NEO protocol tacacs+
aaa-server NEO (outside) host 192.168.15.10
timeout 5
key cciesec
aaa authentication ssh console NEO LOCAL
aaa authentication enable console NEO LOCAL
Here is the login sequence:
[root@dca2-LinuxES root]# ssh -l cciesec 192.168.0.25
The authenticity of host '192.168.0.25 (192.168.0.25)' can't be established.
RSA key fingerprint is c2:48:15:85:92:7f:56:15:a8:0f:80:d9:88:50:fd:1c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.25' (RSA) to the list of known hosts.
[email protected]'s password:
Type help or '?' for a list of available commands.
CiscoPix> en
Password: ********
CiscoPix#
In other words, my initial password is "cciesec" and my enable password
is "cciesec1". Another user "tom" will have his own login and enable
password.
Simple enough? -
I purchased PSE 13 but have a Vista OS. It was suggested in this chat room that I download PSE 12. I did that & installed 12.
The serial # for 13 does not work. Any thoughts on how I can get a serial number for PSE 12?Hi
There is a newer version of Resolution+ Plug-in released for an Qosmio X series
[Resolution+ Plug-in v 1.1.2004|http://eu.computers.toshiba-europe.com/innovation/download_driver_details.jsp?service=EU&selCategory =2&selFamily=381&selSeries=231&selProduct=7506&sel ShortMod=null&language=13&selOS=all&selType=400&ye arupload=&monthupload=&dayupload=&useDate=null&mod e=allMachines&search=&action=search&macId=&country =all&selectedLanguage=13&type=400&page=1&ID=82406& OSID=30&driverLanguage=42]
try it out...
If it has not been installed properly, try rebooting your computer and reverify. -
I have a iPhone4S acquired in Portugal. I will be moving to the EQUATOR (South America). Whenever I have visited the country before, with other cellphones, they did not work (different band) forcing me to buy a local cellphone. Will my iPhone4S work there?
If it is unlocked it will work if you get a SIM from the carrier you will be using. Note that Apple does not and cannot unlock phones. Only the carrier it is presently locked to can unlock it.
-
I just got a new macbook pro. How do I get the 900+ songs that I took off of cds into iTunes on my computer from my iPhone. I had no problems syncing the music I had purchased from iTunes. I have tried to sync it using iTunes match, this did not work. I would like to have access to my full library without going into the user profile of my old computer, which is on my new computers hard drive. I would like to eventually delete the old profile so that I have more space on my hard drive.
http://support.apple.com/kb/HT4527?viewlocale=en_US&locale=en_US
-
On March 14th I bought an iPhone the wi-fi did not work, I called Verizon support after hrs and days they could not help.(I purchase it on-line from Verizon.com) So I went to the local Verizon store was there for about 2 hrs and finally they said to come back the next day and they would have an answer which I did and they didn't they said to call Verizon to return the phone. When I called they said to just use the label that was enclosed. I asked if I needed anything else they said no that my tracking number on the label was all I needed. Well after many calls the last one lasting 90 minutes and the person telling me that she would fill out some form and send it to the return section and call me back. She never called back. I have the tracking info that it was deliver to them yet I not received a replacement phone nor a refund. Can anyone help me? What should I do now? Can't call the I just tried and again they start with let me transfer to this other section (no answer). I am so frustrated I hate Verizon Customer Service or lack of -
I'm so sorry about this experience Appleby. I can certainly assist you in getting this cleared up. I sent you a Direct Message.
Thank you,
VanessaS_VZW
Follow us on Twitter @VZWSupport -
I just fix my macbook air because it was kernel panic. They changed the hard drive. I could not back up with Time Machine, because it did not work and I had over Adobe creative suite 5 design premium student. But I finished my studies last year and I'd like to know how to get the serial number for me to reinstall Adobe creative suite 5 design premium when I am no longer study because I would still like the used? It is not fair if I do anymore because I really need.
You can download Creative Suite 5 here:
Other downloads
To deal with the issue of the serial number and using it again, you'll have to use Web Chat. Here's a link:
Adobe ID, sign in, and account help
See the bottom of the page for a link -
I reinstalled photoshop elements 11 becourse he asked for a serial number en did not recognized de given number. But still de serialnumber is not regonized, please help.
After some serious hunting I finally found a link for live chat (that hunting also included switching to Internet Explorer where I had been using Chrome; I don't know if that's what made the difference). I gave the person at chat my redemption code; soon they came back and told me they had validated the code.
I went to the code redemption page and put in the code, and AGAIN it came back invalid! A second visit to chat yielded a similar promise, but with instructions to go to my Adobe ID page and check for the serial number there, under Products and Plans. I went there, checked Products and Plans, and found no serial number.
I was borderline homicidal at this point.
Still on the ID page, out of desperation I clicked on the Other Products link, and there, FINALLY, I found the serial number. It worked when I ran the install program, and now PS 11 Elements is up and running on my computer.
I would compare getting a serial number to PS 11 Elements to trying to find the Ark of the Covenant, except that finding the Ark is a cinch by comparison. I'm sure the difficulties I encountered were not of your making, but were the result of some horrible brain farts of those above you. Thanks for your help.
John -
RDP Error: Your credentials did not work. SAP AS ABAP 7.4 SP5 incl. BW on SAP HANA 1.0 SP7
Hi Experts,
I have created instances from the SAP Application Server ABAP 7.4 SP5 incl. Business Warehouse on SAP HANA 1.0 SP7 [Developer Edition] free trial solution, as it is described in documentation. But I cannot connect to the Frontend Server instance (Windows 2008) via Remote Desktop Connection, I got a message: Your credentials did not work. User: Administrator, with the master password (pwd not mistyped, while it works on PUTTY, via Saplogon, etc.). I have a 64-bit Windows 7.
I have done the following so far:
First I have created an instance with the Public option, but the same RDP error. Then I have created a new instance as a Corporate Network. The result is: I can connect to VPN service, I can ping the Windows server, but I cannot log on to it with RDC. On AWS I have opened all ports for this instance. Then I updated my RDP, JAVA, enabled RDP on Firewall. Just for a test, I have also switched off Firewall and the AntiVirus program, still nothing. I have tried a Remote Desktop Connection to my Windows Instance from another laptop with Windows 32 bit system (from home and work too), and still facing the same problem: Your credentials did not work. Then I have also tried a tip from windows site (enablecredsspsupport:i:0 into .rdp). When I start the RDC, I get a certification error: The server name on the certificate is incorrect, but I can proceed. Now the windows logon screen on the remote system appears, but still the same result: The user name or password is incorrect.
I would really appreciate some help.
Thanks,
AndreaHi Yogesh,
Unfortunately this problem is not solved, I still cannot use the Frontend Instance. I use another solution: I manage to access the SAP Backend instance ( SAP HANA and AS ABAP ) from my local client (laptop). The disadvantage of this solution is that I had to install myself the client part ,but at least it works.
Regards,
Andrea -
EAX console woes: did not detect required components/audigy2 not detec
After a recent reformat, I go to install the EAX console after the latest drivers (don't have my original CD by the way) aaaand get the "did not detect required components" message.
So I search on it and it doesn't have anything to do with my dri've paths and such. I've tried an Audigy2 and Audigy2 value ISO, but they tell me they don't detect an audigy2... dxdiag tells me differently, however. I'm not in the mood for downloading a bunch more 400 mb ISOs to test them all out either..
I'm at a loss here and really need the EAX console... autoupdate detects my card as "Sound Blaster Audigy 2, DR release .88.20"nanite2000 wrote:
superidan wrote:
I have retail Audigy 2 card. tryed removing the card and installing on a differant slot. Nothing Works! it produces the same "no audigy 2 card found - setuip will now exit" Creative sould be ashamed thanks
Yes, Creative should be ashamed.
This is a known problem that has been around for months and they have failed to address, just like many other problems with their soundcards. For the solution to this particular problem, look here:
http://forums.creative.com/creativel....id=3964#M3964
If you would reread my original post in this thread, that solution did not work for this particular problem of mine. I have a SoundBlaster Li've! Card that this solution worked for, however it does not work of the Audigy 2 card?unzipping the files with WinRar and then running the Setup.exe files produces the same result?setup does not recognize the required components and will close.
I?m not saying that the person who you quoted should not try it though. -
I am on windows 7 and I upgraded to the newest verison of firefox and now it will not open. I have removed firefox completely and uploaded it again and that did not work. I then made sure it could get through my firewall and that did not work. So my latest attempt I removed firefox 10 again and uploaded the beta version hoping that would do it and once again nothing. It will not open at all. Please help - is there a live chat or a number to talk to someone at Firefox?
I think when uninstalling you may also have to choose (tick) to delete the preferences and other personal data like the bookmarks, stored passwords etc. to erase completely. If you are installing afresh, please try right-clicking on the file and '''Run as administrator''' to install. And when uninstalling, please also make sure choose to delete all data and also manually delete any '''Mozilla''', '''Mozilla Firefox''' or '''Firefox''' from %appdata%, %localappdata% and %programfiles%. You can open a location by typing for eg. %appdata% in the '''Run''' box (Windows key + R). You may also have to check the '''VirtualStore''' folder in %localappdata%. Files in the VirtualStore can be problematic. I think a clean installation may help.
[https://www.mozilla.org/en-US/firefox/new/ Firefox]
[http://kb.mozillazine.org/Installation_directory Installation Folder]
[http://kb.mozillazine.org/Profile_folder Profile Folder]
Please note that using system restore would usually damage the Firefox installation. -
All my music was on prior to syncing. The sync deleted all my music. I can now no longer add any music. I have the "sync music" checked. Restoring factory settings did not work. Any thoughts?
When you synced with iTunes It would have tried to replace the music on the iPhone with what is on the computer. which is what happens when you sync with iTunes.
If the songs are purchased you can re-downloaded them Pretty easily. You mentioned that you still see the songs and that you could not play them. Do they have a Cloud symbol next to them? If so this means that you can download them but that they are not on the device. -
I recently tried to burn some photos on a CD. For some reason, It did not work. Now I have a .fpbf folder on my desktop. I can't seem to get rid of it. I tried dragging it to the trash, but then I get a box asking my to type my password it, so Finder can make the changes. Doing so, does nothing at all. And when I try to burn another CD from the same .fpbf file, I get a the following message: "There are 35 items that can’t be burned because the original items can’t be found. Skip the items and continue burning?". When I skip and continue burning, nothing shows up on the CD. In the meantime, the .fpbf folder is still in my desktop. I tried changing the aliases on each pic, but it still doesn't work. Any ideas of how I can remove this folder from my desktop?
Thank you.Beavis2084,
Thank you for your detailed explanation but something is seriously wrong with my computer. Although the method you have described is very similar to the one I tried in step 2 from my second post, I have since "done things" which may have complicated matters—or suggests that my computer has a more serious problem.
Here's what I did:
1). Installed Onyx and discovered that I had a .plist file (com.apple.iphotomosaic.plist) that was causing a Syntax error: "Conversion of data failed. The file is not UTF-8, or in the encoding specified in XML header, if XML." After doing some research online, I was given the understanding that downloading the iLife update 9.0.3 (I installed the more recent version, 9.0.4) would solve this problem because it would also fix some system issues. So, I downloaded it...and when it didn't solve the problem, I decided to just deleted that .plist file.
2). I read your knew post and decided to follow your directions, even though I realized they were basically the same steps I followed in the 2nd method I mentioned earlier. I say "basically" because, for some reason, after inserting a blank disc, my computer does not open the disc in the Finder. Instead, it places the blank disc's image on the Desktop, even though the Finder's Preferences and the System's Preferences are set to have it open in the Finder—nothing should be on my Desktop! (Note: When transferring the items (all folders) I want to burn to the blank disc, I did not use the Option-Click-Drag method as before, I used the Click-Drag method, which created the curved arrow in the lower left corner of each item.)
Now, for the result of "method 2," the method we basically have in common, the computer goes through the burn stage but, in the verify stage, tells me that it is unable to verify the disk, suggests that my DVD may be unreliable and that I should try another disc, and then tells me about some "fork" (?) error (-43).
I don't know what to do anymore...
Maybe you are looking for
-
Group by Lookup function result
I have a report that uses two datasets. The first one looks like this. It's the time members have recorded under a particular job title: ParentId TaskName ObjectiveId MemberId JobTitle TimeSpent Status 3174ED19 TEST 3 42AA79F6 23179C0F NULL 0.00 01 3
-
I can't connect my ipad air to my computer. It comes up with the message 'connection has timed out'. I use windows vista. Please help, I want my music catalogue on my ipad. Thanks
-
Upgrading pci card in my macbook
i was wondering if i could update the graphics card in my macbook. i want to upgrade to a nvidia graphics card and im not sure if a macbook is able to upgrade pci cards. help please
-
Agents (for UCCX) are not able to log into their soft phones with extension mobility, when they click on 'services' the phone keep on requesting but username & password prompt does not appear on the phone.
-
What can be done when the Customer Relations Department fails to call? Disgusted and appalled.
I have had a sony KDL-W590B (same as the W600B but from Costco) for less than one year. The original television had a dark spot in the upper left hand quadrant. I contacted Sony and was instructed to do a factory reset on the television and exchang