Aaa authorization (device doesn't always go into enable mode)
When I log into the 4500 switch with my domain account, I get priv 1 only and have to “enable” with the local enable password to get to priv 15. How do I set this up to get directly to enable? The ACS 5.1 is setup with a authorization/shell profile for Priv 15, no problems there.
2821-RTR2#show run | incl aaa
aaa new-model
aaa authentication login default group tacacs+ local enable
aaa authentication login CONSOLE local-case line
aaa authorization exec default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
4500 that drops into enable mode
4500-SW1#show run | incl aaa
aaa new-model
aaa authentication login default group tacacs+ local enable
aaa authentication login CONSOLE local-case line
aaa authorization exec default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
On the non-working device enable:
debug aaa authen
debug aaa author
debug tacacs
and post the results.
Also, on ACS 5.1 review the details for the authen/author on both the working and non-working devices and see if the desired shell profile is picked for the non-working device.
Similar Messages
-
Log into Device with AAA, how do I get right into enable mode?
I am using a Cisco ACS server with an RSA server behind it. When the user is authenticated from the ACS server, I want them to go straight into enable mode, not have to type the enable mode password. What line am I missing?
aaa authentication login ACS group ACS_servers local enable
aaa authorization exec ACS group ACS_servers local
aaa authorization commands 15 ACS group ACS_servers local
aaa accounting commands 1 default start-stop group ACS_servers
aaa accounting commands 15 default start-stop group ACS_servers
line vty 0 5
login authentication ACS
authorization commmands 15 ACSThe configuration in question is for telnet, but I do need to design my new console access connection. Console access would be either remotely or on-site, but I don't feel comfortable giving priv 15 right into it. I plan to use the same authentication method on the console (ACS group 1st, local database 2nd) and will just have to enter the enable password through the console.
One more question on the aaa config, I kept getting this error in the log:
AAA/AUTHOR: config command authorization not enabled
So I added:
aaa authorization config-commands
I don't know if it was needed because I could still execute config-commands, but it kept giving me that warning if I didn't have that line.
Also, do I really need this line if the ACS server is taking care of priv 15 authorization:
aaa authorization commands 15 ACS if-authenticated -
Logging directly into enable mode on a PIX using TACACS
I have setup TACACS authentication on a PIX running 6.3(3). I can authenticate using TACACS just fine, but do not get put directly into enable mode. The ACS server is setup to do so, it works for routers and switches, but not the PIX box. If I put the "aaa authentication enable console TACACS" in the config I must enter the enable command and use the same password I logged in with to get into enable mode. Without the command, I have to use the configured enable secret password to get into the enable mode.
Does anyone know it there is a way to configure the PIX to log someone directly into enable mode via TACACS?
Thanks in advanceHi,
PIX does not support exec authorization. Hence user cannot login to level 15 directly.
Regards,
Vivek -
Smart Cover doesn't put iPad into Sleep mode in Unlock position after iOS 8.3 update
Prior to the iOS 8.3 update, closing my Smart Cover would put my iPad into Sleep mode when in the Unlock position. Since the update, this function no longer works in the Unlock position. In the Lock position, I hear the click and the iPad does go into Sleep mode. Since I am the only one using my iPad, I don't need it locked when at home. Has anyone else experienced this problem?
hi guys. i'm back.
i solved my problem. i refer my iphone 5 to a local distributor. a repairman checked my iphone and i described my problem. he checked my battery. it was fine! then after an hour excavation around hardware solution he told me that the charging kit crashed because of heavy mobility usage!
yes. i did not covered my phone with any cover. the cpu pressure by ios update crashed the kit! now my phone get back after the kit changed and work finally. i restored my phone to ios 8.2 now.
i'm going to buy new iphone. but i'm really confused if such this issue really happened for iphone 6 too!!!!!
i'm totally disappointed . -
Solaris 10 U6 jumpstart installation always goes into interactive mode desp
While doing the Solaris 10 U6 jumpstart installation, it is going into interactive mode for netmask.
This is the sysidcfg file configuration being used :
bash-3.00# cat /export/home/iserver/jumpstart/donau1/sysidcfg
system_locale=en_US
name_service=none
network_interface=ce2
{hostname=donau1 netmask=255.255.252.0 ip_address=10.50.57.24 protocol_ipv6=no default_route=10.50.56.1}
security_policy=none
terminal=vt100
timezone="MET"
timeserver=10.50.57.214
nfs4_domain=dynamic
root_password=5YcgZqC0krYjo
bash-3.00#
Here the network interface specified is "ce2" and the netmask is as shown above. Still, we observe the problem all the times.
and I have seen the following messages on the screen
Attempting to configure interface ce3...
Skipped interface ce3
Attempting to configure interface ce2...
Configured interface ce2
ip_arp_done: init failed
ifconfig: setifflags: SIOCSLIFFLAGS: ce2: Cannot assign requested address
Attempting to configure interface ce1...
Skipped interface ce1
Attempting to configure interface ce0...
Skipped interface ce0
Reading ZFS config: done.
Setting up Java. Please wait...
Serial console, reverting to text install
Beginning system identification...
Searching for configuration file(s)...
Using sysid configuration file 10.50.57.214:/export/home/iserver/jumpstart/donau1/sysidcfg
Search complete.
Discovering additional network configuration...
Completing system identification...
after this it is going into interactive mode and prompting for netmask . After providing the netmask, installation goes through successfully.
so please suggest me some solution to avoid it going into interactive mode.I have seen this too over the years and it ultimately comes down to something innate:
Here are a few suggestions:
1. Try and use interface ce0.
2. Check default route on both jumpstart server and client.
3. The arp cache may need to be flushed on the Jumpstart server.
4. Use snoop and see what happens during the actual RARPing phase between the server and host.
5. Switch the order in the sysid config file as indicated below:
system_locale=en_US
name_service=none
network_interface=ce2
{hostname=donau1 ip_address=10.50.57.24 netmask=255.255.252.0 protocol_ipv6=no default_route=10.50.56.1}
security_policy=none
terminal=vt100
timezone="MET"
timeserver=10.50.57.214
nfs4_domain=dynamic
root_password=*****************
Please note I blanked your root password. Let me know if this helps. -
TACACs+ commands not dropping me into enable mode
Hi All,
I've just comfigured the following on a router running IOS 15. All my other devices are running the old tacacs commands but thought I'd try the new CLI version.
It works, e.g get prompted for username/password and authenticates against our AD Server (integrated with ACS4.2). I get into the router but into usermode.
My other devices drop me straight into Priv Mode. Only difference is the the new commands v the old commands but I can't see anything that is different in relation to putting me into Priv mode.
Any ideas?
aaa group server tacacs+ ABC_ACS
server name ABC_TAC
tacacs server ABC_TAC
address ipv4 172.27.10.10
key secretkey
aaa authentication login ACS_List group ABC_ACS line
aaa authorization exec ACS_List group ABC_ACS if-authenticated
aaa accounting exec ACS_List start-stop group ABC_ACS
aaa accounting commands 15 ACS_List start-stop group ABC_ACS
line vty 0 4
password test
authorization exec ACS_List
accounting commands 15 ACS_List
accounting exec ACS_List
login authentication ACS_List
length 0
transport input sshMake sure you defined the username with a static privilege level of 15 otherwise it will not be able to pass the enable authentication.
If ACS 5.x or higher go to the policy elements: Shell Profile and make sure you have one assigned for a static maximum privilege of 15 and most important that its applied into a access-policy rule -
After I delete a message, it doesn't always go into Trash bin but disappears.
In a number of instances, when I delete an e-mail from my Inbox, it doesn't appear in Trash but completely disappears--usually it's one I decide I need to look at it again. Most of my real junk mail stays in my Trash folder until I empty the Trash folder.
I have this same problem, but for one message, not a bunch. I hit only the delete key or I click on the delete icon on the message itself. But when I go to look for it in Trash, it's not there, and can't be found anywhere. Any ideas? Thanks
-
Why is my phone always going into recovery mode?
this is the second time this happened to my phone. I was flicking around through twitter and all of a sudden my phone just shut off, after i turned it back on after about 5 minutes it turned off and wouldnt turn back on. i plugged it in and it says it is in recovery mode.
This is the SECOND time this has happened and when i go to restore and recover an unknown error keeps occuring. please help me i have had 3 iphone 4's before this and my dad will behead me if i need another one.
Btw i had this metal sticker/case thing on it, that couldnt be the probem could it?When you restore it using the computer, are you loading your backup onto the device again? If you are, try restoring it and setting it up as new. If it continues after being set up as new, then, yes, you will want to get it serviced.
-
Energy Saver doesn't put Powerbook into sleep mode
I've noticed many issues with Sleep mode on the PB line, but wondered if anyone else was having this problem:
PB will go to Sleep if it's told to (shut lid, Apple Menu -> Sleep, Logitech Keyboard Sleep/Shutdown button, etc), but it will not put itself to sleep if left idle for ANY amount of time. Does not seem to matter whether or not it's plugged in.
I should not that the screen goes blank, but the hard drive never seems to spin down, little white light on lid release never comes on, etc. So it could be Sleep VS Deep Sleep, don't know really.
Note, this is not unique to my machine; others in the office where I manage systems/network have this problem, and we run a variety of G4 powerbooks 15 " models.
Not really sure when it stopped sleeping (have been on the ball with 10.4.x updates) but has been the case for some time now.
Also, have reset the PMU, and has not made any difference. Any one else having similar issues? Seems to me like Power Management of the G4 may have broken along the way.
Cheers,
J
Powerbook G4 15" Mac OS X (10.4.8) 1.5 GHzJoe,
No Classic running; haven't had Classic on my system for at least 6 years. You could say that I'm a bit of an OS X biggot, to be honest. No looking back, and all that.
Used Top/Activity Monitor, and nothing running save the daemons/procs that usually appear - certainly nothing that jumps out at me as a problem. Even disabled all virus checking just to make sure it hadn't developed an incompatability with something in one of the last updates - no effect. Seriously, this is a case of 'it worked yesterday, and now (post updates) it doesn't.' Not that it's evident what the culprit is; nothing on the 10.4.8 updates seems a likely candidate, nor does anything on the 10.4.7. And not that I could even pin point when it happened either - simply became evident over time that hard drive wasn't spinning down, Sleep light wasn't coming on, etc.
I'm tempted to fish out my ol' TI Book 400, and give it a go and see if it has problems. Would at least eliminate any hardware dependencies that might be an issue. Don't know that I can be bothered though - in the grand scheme of things, it's just a minor thing and digging much deeper would require effort that would get in the way of real work.
In any case, all suggestions are welcome and help is appreciated.
Jeff -
AAA authorization exec explanation please....thank you
If I have this:
aaa authentication login default grouptacacs+ local line none
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local none
username localadmin password 7 xxxxxxxxxxxx
enable secret 5 xxxxxxxxxxxxxxxx
And all tacacs+ servers are unreachable.
Authentication will revert to local, so I would need to use a locally defined username of localadmin to access the unit. Correct?
If I can login using the local username, doesn't the authorizaiton exec fail and I cannot get an exec shell as I have no locally defined authorization set up?
If so, how do I set it up so I can login locally (which I think I have setup), but can also get into enable mode if the tacacs+ server(s) are down?
Is exec shell the privlidged mode or just the shell you get when you login and you need to execute a enable command to get to exec shell?
Thanks
GeneGene
I believe that exec shell is the exec that you get when you login and not the privilege level. I usually configure authentication as you have done and it works well - whether the TACACS server is available or not. I generally configure authorization this way:
aaa authorization exec default group tacacs+ if-authenticated
and find that it works well - whether the TACACS server is available or not.
HTH
Rick -
Mac OS X v10.7 Lion always boot into safe boot after upgrade?
I have recently upgraded my OS from snow leopard to lion and the upgrade process was smooth and no problems encountered.
I am also running boot camp with windows XP installed in the same iMac.
After the upgrade, my iMac almost always boot into safe mode whenever I switch it on and I need to restart it again and it will then return to its normal mode.
I wonder anyone encounter the same problem and if so, please give me a hand to solve it.
Thank you very much!Same problem here with my 2011 21" iMac that I purchased in mid July.
I have a wireless keyboard, trackpad and mouse. When I power everything off and turn off the power strip then later turn on the computer it boots into Safe Mode.
Also, the Wi-Fi (formerly Airport) icon in the menubar is just the empty outline and clicking on it gives me the message "Wi-Fi: No hardware installed". Rebooting fixes this.
I spent an hour on the phone with an Applecare manager who had me run Disk Utility repair after booting into the recovery partition. Disk Utility found some disk errors, which I thought was strange for a new computer, and repaired them.
The problem still exists though. -
Hi,
Configured the switch for the AAA authentication it's getting authenticated but it's failing for authentication.
When connected to console it worked- Authenticated and then supplied the enable password.
When telneted : it says "access approved" and "authorization failed"
Relevant switch configuration is as follows and also debug of aaa authorization.
+++++++++++++++++++++++++++++
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
hostname Switch
aaa new-model
aaa authentication login default group radius local
aaa authentication enable default enable
aaa authorization config-commands
aaa authorization exec default group radius if-authenticated local
aaa authorization commands 15 default group radius if-authenticated local
enable secret 5 $lkl34579231$uK8U$B4sL3AiXAEUzZ8o.Dv34Y/
username cisco privilege 15 password 7 05080F1C224233
vlan 10
vlan 120
ip subnet-zero
vtp mode transparent
spanning-tree extend system-id
interface FastEthernet0/1
switchport access vlan 10
switchport mode access
no ip address
spanning-tree portfast
interface GigabitEthernet0/1
no ip address
interface GigabitEthernet0/2
no ip address
interface Vlan1
no ip address
shutdown
interface Vlan120
ip address 10.12.8.70 255.255.255.240
ip default-gateway 10.12.8.65
ip classless
ip http server
radius-server host 192.168.38.169 auth-port 1812 acct-port 1813
radius-server host 10.12.1.142 auth-port 1812 acct-port 1813
radius-server retransmit 3
radius-server key cisco
line con 0
line vty 0 4
password 7 grrfcb7swe
transport input telnet
line vty 5 15
end
Debug output :
Switch#
21:45:02: AAA/AUTHEN/CONT (2947331915): continue_login (user='(undef)')
21:45:02: AAA/AUTHEN (2947331915): status = GETUSER
21:45:02: AAA/AUTHEN (2947331915): Method=radius (radius)
21:45:02: AAA/AUTHEN (2947331915): status = GETPASS
21:45:06: AAA/AUTHEN/CONT (2947331915): continue_login (user='wrrt\trial1')
21:45:06: AAA/AUTHEN (2947331915): status = GETPASS
21:45:06: AAA/AUTHEN (2947331915): Method=radius (radius)
21:45:07: AAA/AUTHEN (2947331915): status = PASS
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): Port='tty1' list='' service=EXEC
21:45:07: AAA/AUTHOR/EXEC: tty1 (284909353) user='wrrt\trial1 '
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): send AV service=shell
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): send AV cmd*
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): found list "default"
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): Method=radius (radius)
21:45:07: AAA/AUTHOR (284909353): Post authorization status = FAIL -------------------------# authorization failed #
21:45:07: AAA/AUTHOR/EXEC: Authorization FAILED
21:45:09: AAA/MEMORY: free_user (0xDF12AC) user='wrrt\trial1' ruser='' port='tty1' rem_addr='10.12.7.71' authen_type=ASCII service=LOGIN priv=1
Switch#
Switch#
Do we need to change anything on Radius server or can we change the authorization preference to local and then to radius.
Please share the experience.
Thanks in advance,
SubodhHi Subodh,
I understand that you are trying to use command authorization using RADIUS.
aaa authorization commands 15 default group radius if-authenticated local
Command authorization is not supported in RADIUS. RADIUS does not allow users to control which commands can be executed on a router and which cannot.
Please refer the following link:
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
You need to use TACACS+ for configuring command authorization for IOS and PIX/ASA.
Regards,
Karthik Chandran
*kindly rate helpful post* -
CFP-2110 will only boot into safe mode + communication error?
Hello all,
I have a new cFP-2110 and I'm trying to configure it. I'm using Realtime 8.0, Fieldpoint drivers 5.1.2 on WIndows XP. My host computer versions match the FP controller software version and the safe-mode dip switch is in the 'off' position.
I even re-formatted the controller memory (like someone suggested in a different thread) but I keep getting the same thing: Connected - Safe Mode (Improper Installation)
Attached is a screen shot of the error I get when I try to 'find devices.' I have a good ethernet connection (although I have a yellow blinking LED on the RJ45 of the controller but not the green). I know this because I can reboot the controller from the host - It just always reboots into safe-mode. Does anybody have any suggestions for me?
Thanks - Paul
Attachments:
cFP-2110 error.JPG 365 KBI finally found the problem and thought I'd share in case anyone else has similar issues:
In troubleshooting I wanted to eliminate network communication errors so I decided to connect directly to my host PC. I got a crossover ethernet cable and connected straight to my host PC's ethernet card. I had to log in as administrator on the host in order to change it's IP address to a static address. Then I re-formatted the FP controller, re-assigned it's IP and finally re-installed the RT and FP drivers. Finally - I had a normal connection!
This made me wonder if it was being directly connected to the host or being logged in as an administrator that was the fix. So I went to a second host PC, logged in as administrator (leaving it as a normal network connection), reformatted my second controller and re-installed the software - and hot damn - it worked!
Moral of this story is - be logged in as admin. before attempting to install any software... -
I am running OSX Lion 10.78.4 and the computer will no longer go into sleep mode when I close the cover. In system preferences I can no longer find the option that allows for this energy saving feature. What happened to this option and why is this no longer happening with the latest version of Lion?
No external monitors or devices attached. When you mention that this function only works when devices are attached that is true when you set up your preferences that way. Up until my upgrade to Lion the computer would always go into sleep mode when I closed the lid. There also used to be an option to check in system preferences that allowed you to choose this option. My question for the discussion is what happened to that option and how do you get the computer to sleep or at least the display to sleep when you close the lid as we have been able to do in the past. Thanks.
-
HT201317 why now photosteam doesn't import photos into my PC but ok in all of my devices
why now photosteam doesn't import photos into my PC but ok in all of my devices?
it worked, and I have recheck all set up.... correct, so?Correction: I have gotten a push when I uninstall and reinstall.
Maybe you are looking for
-
BADI/User Exit for validation in WAK1
Hi, I need to put validations in transaction WAK1. for the Site Groups under the site groups TAB. Please suggest if any BADI or User Exit is available to do this. I checked there are BADI's "WAKT_BADI_001" to "WAKT_BADI_008" but they are for SAP Inte
-
Final Cut Pro Losing Render Files
Hello, I'm working on a half hour piece in FCP in a 23.98 ProRes 1080p timeline and I'm having a problem with my render bars popping up when they shouldn't be. It seems like it almost random but suddenly all or part of the timeline will require a ren
-
appears and quickly disappears a new screen overlaying the screen in use, it starts at the bottom of the screen tela.MACbook pro retina.O what could be causing this?
-
The clock icon does not display the correct time. It now (@21.36) seems to be stuck at two to seven. Is there a way to (re) activate the clock?
-
Data validations in XI or ABAP report
Hi All, What kind of data validations should be done in XI and what kinds should be left for ABAP team to handle in the report or proxies? Regards, XIer