Aaa authorization (device doesn't always go into enable mode)

Similar Messages

• Log into Device with AAA, how do I get right into enable mode?

  I am using a Cisco ACS server with an RSA server behind it. When the user is authenticated from the ACS server, I want them to go straight into enable mode, not have to type the enable mode password. What line am I missing?
  aaa authentication login ACS group ACS_servers local enable
  aaa authorization exec ACS group ACS_servers local
  aaa authorization commands 15 ACS group ACS_servers local
  aaa accounting commands 1 default start-stop group ACS_servers
  aaa accounting commands 15 default start-stop group ACS_servers
  line vty 0 5
  login authentication ACS
  authorization commmands 15 ACS

  The configuration in question is for telnet, but I do need to design my new console access connection. Console access would be either remotely or on-site, but I don't feel comfortable giving priv 15 right into it. I plan to use the same authentication method on the console (ACS group 1st, local database 2nd) and will just have to enter the enable password through the console.
  One more question on the aaa config, I kept getting this error in the log:
  AAA/AUTHOR: config command authorization not enabled
  So I added:
  aaa authorization config-commands
  I don't know if it was needed because I could still execute config-commands, but it kept giving me that warning if I didn't have that line.
  Also, do I really need this line if the ACS server is taking care of priv 15 authorization:
  aaa authorization commands 15 ACS if-authenticated

• Logging directly into enable mode on a PIX using TACACS

  I have setup TACACS authentication on a PIX running 6.3(3). I can authenticate using TACACS just fine, but do not get put directly into enable mode. The ACS server is setup to do so, it works for routers and switches, but not the PIX box. If I put the "aaa authentication enable console TACACS" in the config I must enter the enable command and use the same password I logged in with to get into enable mode. Without the command, I have to use the configured enable secret password to get into the enable mode.
  Does anyone know it there is a way to configure the PIX to log someone directly into enable mode via TACACS?
  Thanks in advance

  Hi,
  PIX does not support exec authorization. Hence user cannot login to level 15 directly.
  Regards,
  Vivek

• Smart Cover doesn't put iPad into Sleep mode in Unlock position after iOS 8.3 update

  Prior to the iOS 8.3 update, closing my Smart Cover would put my iPad into Sleep mode when in the Unlock position.  Since the update, this function no longer works in the Unlock position.  In the Lock position, I hear the click and the iPad does go into Sleep mode.  Since I am the only one using my iPad, I don't need it locked when at home.  Has anyone else experienced this problem?

  hi guys. i'm back.
  i solved my problem. i refer my iphone 5 to a local distributor. a repairman checked my iphone and i described my problem. he checked my battery. it was fine! then after an hour excavation around hardware solution he told me that the charging kit crashed because of heavy mobility usage!
  yes. i did not covered my phone with any cover. the cpu pressure by ios update crashed the kit! now my phone get back after the kit changed and work finally. i restored my phone to ios 8.2 now.
  i'm going to buy new iphone. but i'm really confused if such this issue really happened for iphone 6 too!!!!!
  i'm totally disappointed .

• Solaris 10 U6 jumpstart installation always goes into interactive mode desp

  While doing the Solaris 10 U6 jumpstart installation, it is going into interactive mode for netmask.
  This is the sysidcfg file configuration being used :
  bash-3.00# cat /export/home/iserver/jumpstart/donau1/sysidcfg
  system_locale=en_US
  name_service=none
  network_interface=ce2
  {hostname=donau1 netmask=255.255.252.0 ip_address=10.50.57.24 protocol_ipv6=no default_route=10.50.56.1}
  security_policy=none
  terminal=vt100
  timezone="MET"
  timeserver=10.50.57.214
  nfs4_domain=dynamic
  root_password=5YcgZqC0krYjo
  bash-3.00#
  Here the network interface specified is "ce2" and the netmask is as shown above. Still, we observe the problem all the times.
  and I have seen the following messages on the screen
  Attempting to configure interface ce3...
  Skipped interface ce3
  Attempting to configure interface ce2...
  Configured interface ce2
  ip_arp_done: init failed
  ifconfig: setifflags: SIOCSLIFFLAGS: ce2: Cannot assign requested address
  Attempting to configure interface ce1...
  Skipped interface ce1
  Attempting to configure interface ce0...
  Skipped interface ce0
  Reading ZFS config: done.
  Setting up Java. Please wait...
  Serial console, reverting to text install
  Beginning system identification...
  Searching for configuration file(s)...
  Using sysid configuration file 10.50.57.214:/export/home/iserver/jumpstart/donau1/sysidcfg
  Search complete.
  Discovering additional network configuration...
  Completing system identification...
  after this it is going into interactive mode and prompting for netmask . After providing the netmask, installation goes through successfully.
  so please suggest me some solution to avoid it going into interactive mode.

  I have seen this too over the years and it ultimately comes down to something innate:
  Here are a few suggestions:
  1. Try and use interface ce0.
  2. Check default route on both jumpstart server and client.
  3. The arp cache may need to be flushed on the Jumpstart server.
  4. Use snoop and see what happens during the actual RARPing phase between the server and host.
  5. Switch the order in the sysid config file as indicated below:
  system_locale=en_US
  name_service=none
  network_interface=ce2
  {hostname=donau1  ip_address=10.50.57.24 netmask=255.255.252.0 protocol_ipv6=no default_route=10.50.56.1}
  security_policy=none
  terminal=vt100
  timezone="MET"
  timeserver=10.50.57.214
  nfs4_domain=dynamic
  root_password=*****************
  Please note I blanked your root password. Let me know if this helps.

• TACACs+ commands not dropping me into enable mode

  Hi All,
  I've just comfigured the following on a router running IOS 15. All my other devices are running the old tacacs commands but thought I'd try the new CLI version.
  It works, e.g get prompted for username/password and authenticates against our AD Server (integrated with ACS4.2). I get into the router but into usermode.
  My other devices drop me straight into Priv Mode. Only difference is the the new commands v the old commands but I can't see anything that is different in relation to putting me into Priv mode.
  Any ideas?
  aaa group server tacacs+ ABC_ACS
  server name ABC_TAC
  tacacs server ABC_TAC
  address ipv4 172.27.10.10
  key secretkey
  aaa authentication login ACS_List group ABC_ACS line
  aaa authorization exec ACS_List group ABC_ACS if-authenticated
  aaa accounting exec ACS_List start-stop group ABC_ACS
  aaa accounting commands 15 ACS_List start-stop group ABC_ACS
  line vty 0 4
  password test
  authorization exec ACS_List
  accounting commands 15 ACS_List
  accounting exec ACS_List
  login authentication ACS_List
  length 0
  transport input ssh

  Make sure you defined the username with a static privilege level of 15 otherwise it will not be able to pass the enable authentication.
  If ACS 5.x or higher go to the policy elements: Shell Profile and make sure you have one assigned for a static maximum privilege of 15 and most important that its applied into a access-policy rule

• After I delete a message, it doesn't always go into Trash bin but disappears.

  In a number of instances, when I delete an e-mail from my Inbox, it doesn't appear in Trash but completely disappears--usually it's one I decide I need to look at it again. Most of my real junk mail stays in my Trash folder until I empty the Trash folder.

  I have this same problem, but for one message, not a bunch. I hit only the delete key or I click on the delete icon on the message itself. But when I go to look for it in Trash, it's not there, and can't be found anywhere. Any ideas? Thanks

• Why is my phone always going into recovery mode?

  this is the second time this happened to my phone. I was flicking around through twitter and all of a sudden my phone just shut off, after i turned it back on after about 5 minutes it turned off and wouldnt turn back on. i plugged it in and it says it is in recovery mode.
  This is the SECOND time this has happened and when i go to restore and recover an unknown error keeps occuring. please help me i have had 3 iphone 4's before this and my dad will behead me if i need another one.
  Btw i had this metal sticker/case thing on it, that couldnt be the probem could it?

  When you restore it using the computer, are you loading your backup onto the device again?  If you are, try restoring it and setting it up as new.  If it continues after being set up as new, then, yes, you will want to get it serviced.

• Energy Saver doesn't put Powerbook into sleep mode

  I've noticed many issues with Sleep mode on the PB line, but wondered if anyone else was having this problem:
  PB will go to Sleep if it's told to (shut lid, Apple Menu -> Sleep, Logitech Keyboard Sleep/Shutdown button, etc), but it will not put itself to sleep if left idle for ANY amount of time. Does not seem to matter whether or not it's plugged in.
  I should not that the screen goes blank, but the hard drive never seems to spin down, little white light on lid release never comes on, etc. So it could be Sleep VS Deep Sleep, don't know really.
  Note, this is not unique to my machine; others in the office where I manage systems/network have this problem, and we run a variety of G4 powerbooks 15 " models.
  Not really sure when it stopped sleeping (have been on the ball with 10.4.x updates) but has been the case for some time now.
  Also, have reset the PMU, and has not made any difference. Any one else having similar issues? Seems to me like Power Management of the G4 may have broken along the way.
  Cheers,
  J
  Powerbook G4 15"   Mac OS X (10.4.8)   1.5 GHz

  Joe,
  No Classic running; haven't had Classic on my system for at least 6 years. You could say that I'm a bit of an OS X biggot, to be honest. No looking back, and all that.
  Used Top/Activity Monitor, and nothing running save the daemons/procs that usually appear - certainly nothing that jumps out at me as a problem. Even disabled all virus checking just to make sure it hadn't developed an incompatability with something in one of the last updates - no effect. Seriously, this is a case of 'it worked yesterday, and now (post updates) it doesn't.' Not that it's evident what the culprit is; nothing on the 10.4.8 updates seems a likely candidate, nor does anything on the 10.4.7. And not that I could even pin point when it happened either - simply became evident over time that hard drive wasn't spinning down, Sleep light wasn't coming on, etc.
  I'm tempted to fish out my ol' TI Book 400, and give it a go and see if it has problems. Would at least eliminate any hardware dependencies that might be an issue. Don't know that I can be bothered though - in the grand scheme of things, it's just a minor thing and digging much deeper would require effort that would get in the way of real work.
  In any case, all suggestions are welcome and help is appreciated.
  Jeff

• AAA authorization exec explanation please....thank you

  If I have this:
  aaa authentication login default grouptacacs+ local line none
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec default group tacacs+ local none
  username localadmin password 7 xxxxxxxxxxxx
  enable secret 5 xxxxxxxxxxxxxxxx
  And all tacacs+ servers are unreachable.
  Authentication will revert to local, so I would need to use a locally defined username of localadmin to access the unit. Correct?
  If I can login using the local username, doesn't the authorizaiton exec fail and I cannot get an exec shell as I have no locally defined authorization set up?
  If so, how do I set it up so I can login locally (which I think I have setup), but can also get into enable mode if the tacacs+ server(s) are down?
  Is exec shell the privlidged mode or just the shell you get when you login and you need to execute a enable command to get to exec shell?
  Thanks
  Gene

  Gene
  I believe that exec shell is the exec that you get when you login and not the privilege level. I usually configure authentication as you have done and it works well - whether the TACACS server is available or not. I generally configure authorization this way:
  aaa authorization exec default group tacacs+ if-authenticated
  and find that it works well - whether the TACACS server is available or not.
  HTH
  Rick

• Mac OS X v10.7 Lion always boot into safe boot after upgrade?

  I have recently upgraded my OS from snow leopard to lion and the upgrade process was smooth and no problems encountered.
  I am also running boot camp with windows XP installed in the same iMac.
  After the upgrade, my iMac almost always boot into safe mode whenever I switch it on and I need to restart it again and it will then return to its normal mode.
  I wonder anyone encounter the same problem and if so, please give me a hand to solve it.
  Thank you very much!

  Same problem here with my 2011 21" iMac that I purchased in mid July.
  I have a wireless keyboard, trackpad and mouse. When I power everything off and turn off the power strip then later turn on the computer it boots into Safe Mode.
  Also, the Wi-Fi (formerly Airport) icon in the menubar is just the empty outline and clicking on it gives me the message "Wi-Fi: No hardware installed". Rebooting fixes this.
  I spent an hour on the phone with an Applecare manager who had me run Disk Utility repair after booting into the recovery partition. Disk Utility found some disk errors, which I thought was strange for a new computer, and repaired them.
  The problem still exists though.

• AAA authorization not working

  Hi,
  Configured the switch for the AAA authentication it's getting authenticated but it's failing for authentication.
  When connected to console it worked-  Authenticated and then supplied the enable password.
  When telneted : it says "access approved" and  "authorization failed"
  Relevant switch configuration is as follows  and also debug of aaa authorization.
  +++++++++++++++++++++++++++++
  no service single-slot-reload-enable
  no service pad
  service timestamps debug uptime
  service timestamps log uptime
  service password-encryption
  hostname Switch
  aaa new-model
  aaa authentication login default group radius local
  aaa authentication enable default enable
  aaa authorization config-commands
  aaa authorization exec default group radius if-authenticated local
  aaa authorization commands 15 default group radius if-authenticated local
  enable secret 5 $lkl34579231$uK8U$B4sL3AiXAEUzZ8o.Dv34Y/
  username cisco privilege 15 password 7 05080F1C224233 
  vlan 10
  vlan 120
  ip subnet-zero
  vtp mode transparent
  spanning-tree extend system-id
  interface FastEthernet0/1
    switchport access vlan 10
    switchport mode access
    no ip address
    spanning-tree portfast
  interface GigabitEthernet0/1
    no ip address
  interface GigabitEthernet0/2
    no ip address
  interface Vlan1
    no ip address
    shutdown
  interface Vlan120
    ip address 10.12.8.70 255.255.255.240
  ip default-gateway 10.12.8.65
  ip classless
  ip http server
  radius-server host 192.168.38.169 auth-port 1812 acct-port 1813
  radius-server host 10.12.1.142 auth-port 1812 acct-port 1813
  radius-server retransmit 3
  radius-server key cisco
  line con 0
  line vty 0 4
    password 7 grrfcb7swe
    transport input telnet
  line vty 5 15
  end
  Debug output :
  Switch#
  21:45:02: AAA/AUTHEN/CONT (2947331915): continue_login (user='(undef)')
  21:45:02: AAA/AUTHEN (2947331915): status = GETUSER
  21:45:02: AAA/AUTHEN (2947331915): Method=radius (radius)
  21:45:02: AAA/AUTHEN (2947331915): status = GETPASS
  21:45:06: AAA/AUTHEN/CONT (2947331915): continue_login (user='wrrt\trial1')
  21:45:06: AAA/AUTHEN (2947331915): status = GETPASS
  21:45:06: AAA/AUTHEN (2947331915): Method=radius (radius)
  21:45:07: AAA/AUTHEN (2947331915): status = PASS
  21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): Port='tty1' list='' service=EXEC
  21:45:07: AAA/AUTHOR/EXEC: tty1 (284909353) user='wrrt\trial1 '
  21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): send AV service=shell
  21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): send AV cmd*
  21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): found list "default"
  21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): Method=radius (radius)
  21:45:07: AAA/AUTHOR (284909353): Post authorization status = FAIL -------------------------#  authorization failed #
  21:45:07: AAA/AUTHOR/EXEC: Authorization FAILED
  21:45:09: AAA/MEMORY: free_user (0xDF12AC) user='wrrt\trial1' ruser='' port='tty1' rem_addr='10.12.7.71' authen_type=ASCII service=LOGIN priv=1
  Switch#
  Switch#
  Do we need to change anything on Radius server or can we change the authorization preference to local and then to radius.
  Please share the experience.
  Thanks in advance,
  Subodh

  Hi Subodh,
  I understand that you are trying to use command authorization using RADIUS.
  aaa authorization commands 15 default group radius if-authenticated local
  Command authorization is not supported in RADIUS. RADIUS does not allow users to control which commands can be executed       on a router and which cannot.
  Please refer the following link:
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
  You need to use TACACS+ for configuring command authorization for IOS and PIX/ASA.
  Regards,
  Karthik Chandran
  *kindly rate helpful post*

• CFP-2110 will only boot into safe mode + communication error?

  Hello all,
  I have a new cFP-2110 and I'm trying to configure it. I'm using Realtime 8.0, Fieldpoint drivers 5.1.2 on WIndows XP. My host computer versions match the FP controller software version and the safe-mode dip switch is in the 'off' position.
  I even re-formatted the controller memory (like someone suggested in a different thread) but I keep getting the same thing: Connected - Safe Mode (Improper Installation)
  Attached is a screen shot of the error I get when I try to 'find devices.' I have a good ethernet connection (although I have a yellow blinking LED on the RJ45 of the controller but not the green). I know this because I can reboot the controller from the host - It just always reboots into safe-mode. Does anybody have any suggestions for me? 
  Thanks - Paul
  Attachments:
  cFP-2110 error.JPG ‏365 KB

  I finally found the problem and thought I'd share in case anyone else has similar issues:
  In troubleshooting I wanted to eliminate network communication errors so I decided to connect directly to my host PC. I got a crossover ethernet cable and connected straight to my host PC's ethernet card. I had to log in as administrator on the host in order to change it's IP address to a static address. Then I re-formatted the FP controller, re-assigned it's IP and finally re-installed the RT and FP drivers. Finally - I had a normal connection!
  This made me wonder if it was being directly connected to the host or being logged in as an administrator that was the fix. So I went to a second host PC, logged in as administrator (leaving it as a normal network connection), reformatted my second controller and re-installed the software - and hot damn - it worked!
  Moral of this story is - be logged in as admin. before attempting to install any software...

• I am running OSX Lion 10.7.4 and the computer no longer will go into sleep mode when I close the cover What happened with this option?

  I am running OSX Lion 10.78.4 and the computer will no longer go into sleep mode when I close the cover. In system preferences I can no longer find the option that allows for this energy saving feature. What happened to this option and why is this no longer happening with the latest version of Lion?

  No external monitors or devices attached. When you mention that this function only works when devices are attached that is true when you set up your preferences that way. Up until my upgrade to Lion the computer would always go into sleep mode when I closed the lid. There also used to be an option to check in system preferences that allowed you to choose this option. My question for the discussion is what happened to that option and how do you get the computer to sleep or at least the display to sleep when you close the lid as we have been able to do in the past. Thanks.

• HT201317 why now photosteam doesn't import photos into my PC but ok in all of my devices

  why now photosteam doesn't import photos into my PC but ok in all of my devices?
  it worked, and I have recheck all set up.... correct, so?

  Correction: I have gotten a push when I uninstall and reinstall.