Aaa authentication using tacacs+ for LAP
WIth Autonomous AP, you can configure aaa authtentication using Tacacs+.
In lightweight AP, do u have similar function where u authenticate using tacacs+ when u telnet/ssh into the LAP after it is registered to the WLC?
Rgds
Eng Wee
There really isn't anything you can do on the LAP through telnet/ssh. You can enable TACACS for access to the controller.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml
Similar Messages
-
FWSM: AAA authentication using TACACS and local authorization
Hi All,
In our setup, we are are having FWSMs running version 3.2.22 and users are authenticating using TACACS (running cisco ACS). We would like to give restricted access ( some show commands ) to couple of users to all devices. We do not want to use TACACS for command authorization.
We have created users on TACACS and not allowed "enable" access to them. I have also given those show commands locally on the firewall with privilege level 1. and enabled aaa authorization LOCAL
Now , those users can successfully login to devices and execute those show commands from priv level 1 except "sh access-list". I have specifically mentioned this
"privilege show level 1 mode exec command access-list" in the config.
Is there anything i am missing or is there any other way of doing it?
Thanks.You cannot do what you are trying to do. For (default login you need to use the first policy matched.
you can diversify telnet/ssh with http by creating different aaa groups.
But still you will be loging in for telnet users (all of them) using one method.
I hope it is clear.
PK -
Privilege mode authentication using Tacacs for Cisco Routers
I am trying to set up a test environment where I need to be able to be asked for both a username and password while entering enable mode from exec mode on a cisco IOS router. I was told the only way to do that is through Tacacs. But I've not seen any such configuration options on Tacacs in order to set it up right. Has someone ever did a setup like this before. I would appreciate any help on this. Thanks.
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
hostname 2621-3
boot-start-marker
boot system flash c2600-i-mz.123-26.bin
boot-end-marker
logging buffered 5001 debugging
no logging console
no logging monitor
enable password cisco
memory-size iomem 10
clock timezone CST -7
clock summer-time CST recurring
aaa new-model
aaa authentication login default local
aaa authentication enable default group tacacs+
aaa authorization exec default group tacacs+ local
aaa session-id common
ip subnet-zero
ip cef
no ip domain lookup
ip domain name int.voyence.com
ip name-server 192.168.21.5
!key chain jetef
key 10
key-string c1sco
modemcap entry ZOOM
modemcap entry ZOOM
username jeff password 0 jeff
tacacs-server host 192.168.21.230 key cisco
tacacs-server host 10.6.230.32
tacacs-server directed-request
tacacs-server key dakey
line con 0
exec-timeout 15 0
logging synchronous
speed 115200
line aux 0
exec-timeout 15 0
password 7 104D000A0618
logging synchronous
modem InOut
modem autoconfigure discovery
terminal-type monitor
transport input all
stopbits 1
flowcontrol hardware
line vty 0 4
exec-timeout 15 0
password cisco
private
logging synchronous -
Use Tacacs+ for Admin auth & Radius for user Auth?
Can I setup my Aironet 1200 to use TACACS+ for authentication back to the cisco ACS server and RADIUS back to same server for user authentication?
If I setup a server in Server Manager under Radius, then add that same server as a TACACS+ server, it deletes the RADIUS server, so I assume no.dont know about 1200s but you can do this on 1130AGs. Create a aaa group for authentication via radius, and one for tacacs+ then use aaa groups to point console/vty to the tacacs+ aaa group, and EAP authentication to the radius group.
eg:
aaa group server radius rad-group
server x.x.x.x auth-port xxxx acct-port xxxx
aaa group server tacacs+ admin-access
server x.x.x.x
aaa authentication login eap-method group rad-group
aaa authentication login auth-admin-access group admin-access local
aaa authorization exec default group admin-access local
now under the ssid part of the config have:
dot11 ssid yyyyyy
authentication open (or whatever method you use) eap eap-method
under console/vty etc:
login authentication auth-admin-access
you need some more stuff like radius and tacacs server keys, but the above should get you started. On 1130AGs dont use aaa auth for http(s), looks like it overloads the aaa server at the moment - see field notices - probably doesnt apply to 1200s. -
About 802.1x port authentication using TACACS+
Hi
I have some question. Please help me. Thanks.
Question1. May I use that 802.1x port authentication using TACACS+
Question2. Is it true? TACACS+ will not work with 802.1x because EAP is not supported in TACACS+, and there are no plans to get EAP over TACACS+.
Any help would be greatly appreciated.
Thanks.Thanks to you.
Where to find the documents about Tacacs+ doesn't support EAP?
I cast more time and I cannot find the documents.
Please help me....
Thanks. -
Cisco Nexus to use Radius AAA authentication using Microsoft 2008 NPS
I have a Nexus 7010 running
Just wondering if you can help me with something. I'm having an issue with command authorization thru our aaa config. We don't have a problem authenticating its command authorization that is not working. From what I have seen and read Nexus NX-OS 6.x does not have any commands for aaa authorization unless you are configuring TACACS+. My basic config is below if you can help it would be much appreciated.
>>ip radius source-interface mgmt 0
>>radius-server key XXXXX
>>radius-server host X.X.X.X key XXXXX authentication accounting
>>radius-server host X.X.X.X key XXXXX authentication accounting aaa
>>authentication login default group Radius_Group aaa authentication
>>login console local aaa group server radius Radius_Group
>> server X.X.X.X
>> server X.X.X.X
>> source-interface mgmt0
Also does anyone know how to configure Microsoft 2008 NPS as a Raduis server to work with Nexus? I have read a few post that suggest changing the
shell:roles="vdc-admin" in the Attribute Value field in the RADIUS server
Does anyone know if this works????
ThanksI have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
Attribute: cisco-av-pair
Requirement: Mandatory
Value: shell:roles*"network-admin vdc-admin"
For more information take a look at this link:
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
Hope this helps
Thank you for rating helpful posts! -
WAAS Authentication using TACACS+
Hi,
I am trying to use TACACS as the primary method of authentication. The thing is that I configured in WAAS the values required (security word, primary server and secondary server). Also, in Authentication Method I chose TACACS as primary and local as the secondary.
After that I logged in to the WAAS using my TACACS account and I could enter, but the Navigation Pane is empty. It seems like my account doesn't have permissions to change config, but it is level 15 in TACACS ( I used to change config in Sw and routers).
I dont know if I am missing a step to config this feature either on the WAAS or the ACS.
Thanks,TACACS really only provides a single "A" Authentication.
Are you allowed or not....
in order to provide Authorization, you need to still create the account in CM. and provide a role and domain in the user config.
Leave the Local user check box "unchecked" if you plane to use TACACS to Authenticate.
Im sure there is a way to provide authorization through complex custom attributes but it achieves the same goal via CM. once authenticated. -
Issue with Authentication using JAAS for coherence
Hi,
I have configured security frame work using JAAS for storage enabled node,
I am using keystore for authenticating the users, Below is the code used for authentication,
Subject subject;
try{ subject = Security.login(sUsername, sPassword.toCharArray()); }
catch (Throwable t){
subject = null;
log("Authentication error:");
log(t); }
if (subject != null)
for (Iterator iter = subject.getPrincipals().iterator(); iter.hasNext(); )
Principal principal = (Principal) iter.next();
log("Principal: " + principal.getName());
Security.runAs(subject, new PrivilegedAction()
public Object run()
NamedCache cache = CacheFactory.getCache(CACHE_NAME);
boolean flag = true;
while (flag) {}
return null;
});and i am calling the above class in the callback handler which is defined in coherence operation descriptor.
<security-config>
<enabled system-property="tangosol.coherence.security">true</enabled>
<login-module-name>TestCoherence</login-module-name>
<access-controller>
<class-name>com.tangosol.net.security.DefaultController</class-name>
<init-params>
<init-param id="1">
<param-type>java.io.File</param-type>
<param-value>config/keystore.jks</param-value>
</init-param>
<init-param id="2">
<param-type>java.io.File</param-type>
<param-value>config/permissions.xml</param-value>
</init-param>
</init-params>
</access-controller>
<callback-handler>
<class-name>Test</class-name>
</callback-handler>
</security-config>I am using the following command line parameters for bringing up the storage enabled node.
-Dtangosol.coherence.security.permissions="$CONFIG_PATH/permissions.xml"
-Dtangosol.coherence.security.keystore="$CONFIG_PATH/keystore.jks"
-Djava.security.auth.login.config="$CONFIG_PATH/login.config"
-Dtangosol.coherence.security=trueNow till the callback handler thread is alive, storage enabled node will be up. As soon as the call back handler thread dies. Storage enabled node stops with the following error,
Exception in thread "main" java.lang.SecurityException: Authentication failed: Error initializing keystore
at com.tangosol.coherence.component.net.security.Standard.loginSecure(Standard.CDB:36)
at com.tangosol.coherence.component.net.security.Standard.getTempSubject(Standard.CDB:11)
at com.tangosol.coherence.component.net.security.Standard.checkPermission(Standard.CDB:18)
at com.tangosol.coherence.component.net.Security.checkPermission(Security.CDB:11)
at com.tangosol.coherence.component.util.SafeCluster.ensureService(SafeCluster.CDB:6)
at com.tangosol.coherence.component.net.management.Connector.startService(Connector.CDB:25)
at com.tangosol.coherence.component.net.management.gateway.Remote.registerLocalModel(Remote.CDB:8)
at com.tangosol.coherence.component.net.management.gateway.Local.registerLocalModel(Local.CDB:8)
at com.tangosol.coherence.component.net.management.Gateway.register(Gateway.CDB:1)
at com.tangosol.coherence.component.util.SafeCluster.ensureRunningCluster(SafeCluster.CDB:50)
at com.tangosol.coherence.component.util.SafeCluster.start(SafeCluster.CDB:2)
at com.tangosol.net.CacheFactory.ensureCluster(CacheFactory.java:948)
at com.tangosol.net.DefaultConfigurableCacheFactory.ensureService(DefaultConfigurableCacheFactory.java:748)
at com.tangosol.net.DefaultCacheServer.start(DefaultCacheServer.java:140)
at com.tangosol.net.DefaultCacheServer.main(DefaultCacheServer.java:61)
Please let me know where should i pass the credentials to the default cache server for authentication or should i change the any implementation of authentication here.
Thanks in advance,
BhargavBhargav,
Rather than trying to loop forever in a callback handler try this
import com.tangosol.net.CacheFactory;
import com.tangosol.net.DefaultCacheServer;
import com.tangosol.net.security.Security;
import javax.security.auth.Subject;
import java.security.PrivilegedExceptionAction;
public class SecureCacheServer {
public static void main(final String[] args) throws Exception {
LoginContext lc = new LoginContext("Coherence");
lc.login();
Subject subject = lc.getSubject();
Security.runAs(subject, new PrivilegedExceptionAction() {
public Object run() throws Exception {
DefaultCacheServer.main(args);
return null;
}Then when you start your cache server just use the SecureCacheServer class above rather than DefaultCacheServer
As the main method of DefaultCacheServer is running in a PrivilegedExceptionAction Coherence will use this identity anywhere it needs to do anything secured.
I hope the code above compiles OK as it is a modified version of the code I really use.
Hope this helps
JK -
Using TACACS+ for AAA on Cisco ASA
Hello -
I have compiled the TACACS+ server software (downloaded from ftp.cisco.com a while ago) und looking for any hints how to configure roles for full access, read-only access for our ASA firewalls. Does anybody have configuration examples for the tacacs+ configuration and the ASA configuration? Any hints are welcome.
Many thanks in advance!
Regards,
StefanHave a look at the attached doc
Narayan -
Reg: Configuration of AAA using TACACS+
Hi,
I am Anubhav ,i m new to TACACS+ server and trying to implement aaa authentication using Cisco TACACS+ Server for which i've decided following AAA commands and a fall back user user1 has been configured on router to be authenticated.
aaa authentication login default group tacacs+ local
aaa authentication login NO_AUTHEN none
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization exec NO_AUTHOR none
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 1 NO_AUTHOR none
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization commands 15 NO_AUTHOR none
aaa authorization network serial none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa session-id common:purpose of this line ?
Kindly check if it's ok and i might not get locked out.acs server has been defined on router .kindly guide us on steps to configure the user ,group ,privilege level on TACACS.
Thanks.Hi,
As I ve written in my previous post that i ve configured acs-server host and key on router , i ve created a user name test 1 on acs and added ,the router through add AAA client and Secure as shared Key.I must mention that i am using a Cisco 3845 router connected on my LAN for testing ACS and I have access to it through console as well.What else should I do on acs4.2 to get it authenticated by TACACS server ,also if i have more routers to add ,could i create a group in the same way and add AAA clients,Kindly suggest if my approach is correct.will there be separate users for each AAA client or same user can be used for all AAA clients for authentication through ACS if they are assigned to same group or if they are in Default group.
Also how to implement policies on a group(say:security).Is there any screenshots tutorial available for the same.
Thanks, -
Nexus, command authorization using TACACS.
Hello.
Can someone provide a sample configuration to use Cisco Secure ACS 4.2 to enable command authorization using TACACS.
Thanks.
Regards.
AndreaHi Andrea,
We've moved onto ACS 5.3 now - but we had our Nexus 5520's running against our old ACS 4.2 before that - so I've picked out the relevant bits of the config below:
username admin password role network-admin ; local admin user
feature tacacs+ ; enable the tacacs feature
tacacs-server host key ; define key for tacacs server
aaa group server tacacs+ tacacs ; create group called 'tacacs'
server ;define tacacs server IP
use-vrf management ; tell it to use the default 'management' vrf to send the tacacs requests
source-interface mgmt0 ; ...and send them from the mgmt interface
aaa authentication login default group tacacs ; use tacacs for login auth
aaa authentication login console group tacacs ; use tacacs for console login auth
aaa authorization config-commands default group tacacs local ; use tacacs for config command authorization
aaa authorization commands default group tacacs local ; use tacacs for normal command authorization
aaa accounting default group tacacs ; send accounting records to tacacs
Hope that works for you!
(That can change a bit when you move to ACS 5.x - as we've chosen not to do complex command auth (using shell profiles only) so instead you pass back the nexus role to the 5k - and it does the command auth (network-admin vs network-operator) based on that - so you just don't configure aaa command authorization on the 5k)
Rob... -
I am having trouble authenticating into my router.
Here is the debug error I get when I try to log in:
.Apr 9 18:13:15.518: AAA/BIND(00000068): Bind i/f
.Apr 9 18:13:15.522: AAA/AUTHEN/LOGIN (00000068): Pick method list 'default'
.Apr 9 18:13:15.522: TPLUS: Queuing AAA Authentication request 104 for processing
.Apr 9 18:13:15.522: TPLUS: processing authentication start request id 104
.Apr 9 18:13:15.522: TPLUS: Authentication start packet created for 104(david)
.Apr 9 18:13:15.522: TPLUS: Using server 172.16.6.3
.Apr 9 18:13:15.522: TPLUS(00000068)/1/NB_WAIT/4620496C: Started 60 sec timeout
.Apr 9 18:13:15.522: TPLUS(00000068)/1/NB_WAIT: socket event 2
.Apr 9 18:13:15.526: TPLUS(00000068)/1/NB_WAIT: wrote entire 42 bytes request
.Apr 9 18:13:15.526: TPLUS(00000068)/1/READ: socket event 1
.Apr 9 18:13:15.526: TPLUS(00000068)/1/READ: Would block while reading
.Apr 9 18:13:15.658: TPLUS(00000068)/1/READ: socket event 1
.Apr 9 18:13:15.658: TPLUS(00000068)/1/READ: errno 254
.Apr 9 18:13:15.658: TPLUS(00000068)/1/4620496C: Processing the reply packet
.Apr 9 18:13:20.434: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'
.Apr 9 18:13:20.434: TPLUS: Queuing AAA Authentication request 0 for processing
.Apr 9 18:13:20.434: TPLUS: processing authentication start request id 0
.Apr 9 18:13:20.434: TPLUS: Authentication start packet created for 0(david)
.Apr 9 18:13:20.434: TPLUS: Using server 172.16.6.3
.Apr 9 18:13:20.434: TPLUS(00000000)/1/NB_WAIT/4620496C: Started 60 sec timeout
.Apr 9 18:13:20.434: TPLUS(00000000)/1/NB_WAIT: socket event 2
.Apr 9 18:13:20.438: TPLUS(00000000)/1/NB_WAIT: wrote entire 25 bytes request
.Apr 9 18:13:20.438: TPLUS(00000000)/1/READ: socket event 1
.Apr 9 18:13:20.438: TPLUS(00000000)/1/READ: Would block while reading
.Apr 9 18:13:20.438: TPLUS(00000000)/1/READ: socket event 1
.Apr 9 18:13:20.438: TPLUS(00000000)/1/READ: errno 254
.Apr 9 18:13:20.438: TPLUS(00000000)/1/4620496C: Processing the reply packet
Any help would be greatly apperciated.David
The debugs show that you are sending requests to ACS/TACACS and receiving no response. There are several things that could cause this symptom. First you should check on whether the request is getting to the TACACS server. Probably you could look in the logs of the server and see if it has recognized and processed requests from your device. If it recognized the request then it may also have some indication of why it did not authenticate. These causes could include a mismatch in the shared key, the server does not have a correct definition of this device as a TACACS client, your machine is not sending requests with the source address that the TACACS server is expecting.
You also might want to verify that there is correct IP connectivity from your router to the TACACS server (ping or extended ping is a good way to check this). You might also check along the path and make sure that there are not access lists which might be blocking your request (or blocking the response from the server back to you).
HTH
Rick -
AAA authentication is fail on cisco 4505 switch with acs
i am new in AAA . i want to login switch which authentication come from cisco acs 5.1 but i configure both switch and acs 5.1. when i telnet
switch it display % Authentication fails. can anybody help me regurding this issue!!!
on cisco switch end conf:
aaa new-modle
aaa authentication login default group tacacs+
aaa authentication login TACASE group tacacs+
aaa authentication exec default group tacacs+
tacacs-server host 10.10.10.1
tacacs-server key Password!@#
line vty 0 4
login authentication TACASE
on acs 5.1 side i add switch on its vlan ip address which is connect acs 5.1 but
BUT when i login using putty terminal its show % Authentication fails.
Please help me regurding this issue!!!Hi,
what is the error message reported on ACS?
Are you sure that you are using the same key on ACS and cat4k?
Can you configure "ip tacacs source-interface " with the vlan interface you are using as source?
You can also collect these debugs:
- deb aaa authentication
- deb tacacs
Cheers
Marco -
Tacacs+ for exec and radius for ppp on the same ras
Hi, I'm going to implement tacacs+ for exec control and RADIUS for ppp control in a ras router, using the same ACS for tacacs+ and radius sessions.
Is there any problem with this kind of configuration ?
thank you in advance
RenatoRenato
I have recently done something very similar at a customer site. On a remote access server we configured it to use TACACS for exec control and to use Radius for ppp. In our case we are using different servers but I do not think that would be an issue. We also are generating aaa accounting records for the ppp sessions and sending the accounting records to the TACACS server. I have not had any particular problems with getting this to work.
HTH
Rick -
ACS shell profile to only allow VPN authentication from TACACS+
I'm currently rebuilding all of my VPN profiles after it was found that we were using TACACS+ for authentication to the VPNs, that would also allow users to SSH all of the network infrastructure. The new profiles will be radius based and will take some time to get them to the users.
In the meantime I'm looking to create a new shell profile for the VPN users that will only allow them to authenticate to the VPN and not gain access to the CLI of the infrastructure.
ThanksHi,
i tested this with Cisco ACS 5.5 with TACACS for VPN tunnel it doesn't work.
It gives you an error which is stated that service protocol used is for device administration.
So it doesn't all VPN authentication to work. but for radius this works properly.
Thanks & Regards,
Nitesh
Maybe you are looking for
-
I had my vaio serviced and now I have had to download itunes again. After having done so, I no longer am able to see my old playlists on itunes though they are there on my phone. I would like to view my old playlists & add new music on them. I keep m
-
Fault information from bpel process when exception happens
How to extract all the fault information from bpel process when exception happens? Are there any other methods other than "ora:getFaultName(), ora:getFaultAsString()" When I use "ora:getFaultName(), ora:getFaultAsString()", I get the below message,so
-
Creation of standby logical controlfile
can anybody let me know how to create standby logical controlfile.... i know how to create physical standby control file.... when i created a logical standby controlfile and after mounting the logical standby database, i got an erorr database name is
-
Can't print wirelessly via Airport Extreme if VPN active
I've had this same print problem with an Airport Express. Never did get a solution. I have an HP printer connected to my Airport Extreme. No problems printing from my Macbook Pro or my work PC laptop until the Cisco VPN client on my work machine is a
-
Using Office Mac on Windows computer
Dear All I created Word files with Office Mac on my Macbook, and when I want to use them on a Windows 2000 computer I am unable to read them. Is there a way to use them on Word 2000 on this Windows 2000 computer because its my work computer? I have t