AAA configuration tuning

Similar Messages

• Need help with AAA configuration

  I am trying to configure AAA on my network devices. I am using TACACS+ with an ACS (3.2) server. I have setup two user groups in the ACS server, one with enable priviledges and one without. I am able to get the AAA configuration to work when telnetting into the devices. However, when logging into the console port, the user group with enable priviledges do not go directly into enable mode as the telnetted users do. How to fix this?

  Hi,
  You will need to use the following command :-
  aaa authorization console
  This command will not show up on the help.
  Regards,
  Vivek

• ISE and AAA configuration

  Hi Guys,
  I am using ISE only one server as primary and as cisco says it has functionality of (ACS+ NAC). I  want to enable AAA services on the  ISE box rightnow.
  I used the ACS earlier and want to configure the same functions on it.
  Authentication of devices from ISE when remote login to router/switches/firewalls.
  Authorization of commands form ISE based on user login
  Accounting of command and login and logout details of user.
  I have very basic knowledge in ISE but i used ACS througly.
  Please Help  in the above issue.
  Thanks in Advance
  Regards

  Can you give any link where is shows TACACS is not supported.
  You find that amongst others in the Q&A:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/qa_c67-658591.html
  Can you tell where need to enable these settings for AAA services.
  That's a quite complex thing ... Best you start with the ISE policies:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_authz_polprfls.html
  Then look at the ACS migration-tool:
  http://www.cisco.com/en/US/docs/security/ise/1.0.4/migration_guide/ise104_mig_book.html
  But don't expect that the tool will migrate your ACS-policies in a usefull way ... There is much handwork involved to end with a good ISE-policy.

• AAA configuration on switches 2960

  Hi
  I have introduced the following configuration of AAA in the switches of series 2950 and works very well,
  but when I do the same in switches 2960, the local password does not work and it is obligatory to introduce the switch in the ACS to have management of the switch.
  Is needed some additional configuration of AAA in switches 2960?
  Thanks.
  tacacs-server host y.y.y.y
  tacacs-server key xxxxx
  aaa new-model
  aaa authentication login acceso-consola group tacacs+ line
  aaa authentication login acceso-telnet group tacacs+ line
  aaa authentication enable default group tacacs+ enable
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  line con 0
  exec-timeout 0 0
  login authentication acceso-consola
  line vty 0 4
  login authentication acceso-telnet

  Maria
  Perhaps some clarification of your environment might help us. In particular it would help to understand how you produce the "without ACS" environment.
  Clearly the switch is still configured for ACS. And clearly there is connectivity from the switch to the ACS. And the ACS is responding to the authentication request from the switch. I am not sure what the errno 254 represents or what on the ACS server causes it. Perhaps you can help us understand that?
  I had a situation at one point that may have been similar to your situation. Our devices were sending requests to ACS. But ACS was not able to communicate with the external DB because one of the services on ACS was not running. ACS responded with an error indicating unable to process. But the IOS devices were not interpreting that as an error that should send them to the backup authentication method.
  If you are stopping something on the ACS server then I would suggest that a better test would be to break IP connectivity between the switch and the ACS so that the switch receives no response to its request or to change the configured IP address for the server in the switc and point to some device not running ACS so that the switch receives a port unreachable response to its request. Those would give you a better test of without ACS.
  HTH
  Rick

• Aaa configuration for steelhead and F5 loadbalancers?

  Hi all,
  I was trying to configure aaa authentication/authorization/accounting in steelhead and F5 loadbalnacers.
  Any resouce or help to accomplish this task will be highly apreciated. Thanks!
  Abe

  http://support.f5.com/kb/en-us/solutions/public/8000/800/sol8811.html
  Also have you tried looking at F5's website and or posting in their forums as well?

• AAA Configuration!!

  hi,
  I am new to Cisco ACS server for windows.I am testing it on Cisco 1700 series router.
  I have created two users in ACS having different shell command authorization sets. And i have created one local user in Router.I am successfully able to login on router with both ACS users through telnet & Console.
  But i am stucking with some requirements which i need to test.
  requirements:
  1). When my ACS is running,I should use only my ACS users for logging in the device,whether throgh telnet or console.
  2). If my ACS is down, then I should be able to logged in the device through the local user created in it.This way device will not locked down due to the absense of AAA.
  I have almost achieved my first requirement.But I am stucking in my II requirement. Require your help please.
  Router configuration enclosed!!

  Hi Raj,
  Here you go,
  aaa authentication login default group tacacs local
  It will let you in using password configured in acs and if acs is down, it will let you in using local user/pwd configured in router.
  aaa authentication enable default group tacacs enable
  Once you are in user mode and try to login to enable mode--> It will let you in using enable password configured in acs and if acs is down it will let you in using enable pass set up on router
  aaa authorization console
  This command enables authorization on console port. By default that is disabled and it is recommended to use once you are sure about the commands. Else you will be locked out.
  aaa authorization config-commands
  Enabled command authoriztion for global config mode
  aaa authorization exec default group tacacs if-authenticated
  This enabled authorization for telnet (exec) sessions
  aaa authorization commands 1 default group tacacs+ if-authenticated
  Enabled command authorization for level 1 command
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  Accounting commands are self explanatory.
  =======================
  Using 'none' versus 'if-authenticated' as backup method for authorization-
  If you use 'if-authenticated' any authentication method (line, local, etc.) will allow for successful authorization. However, if the TACACS+ server goes down during a session, all author will fail until a new authen occurs (log out and log back in). This allows for an extra security measure so that a user with low privileges cannot suddenly run any command if the AAA server goes down. They must have access to the backup authen method. If you use 'none', author will always be successful if the AAA server is down. Even if it goes down in the middle of the session. Adds convenience at the expense of security.
  Regards,
  ~JG
  Do rate helpful posts

• Checking aaa configuration using LMS Baseline Compliance Checks

  Hi, I'm trying to setup a baseline configuration check for our devices that will cover both "types" of aaa accounting commands. Some devices have the commands spread over mutliple lines and some have them in single lines as per the examples below. I can't seem to make an "or" check that will cover both types. Can anyone please assist? I am using Ciscoworks 4.2.
    aaa accounting exec default
    action-type start-stop
    group tacacs+
    aaa accounting commands 0 default
    action-type start-stop
    group tacacs+
    aaa accounting commands 15 default
    action-type start-stop
    group tacacs+
    aaa accounting connection default
    action-type start-stop
    group tacacs+
  OR
  aaa accounting commands 0 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting connection default start-stop group tacacs+
  aaa accounting exec default start-stop group tacacs+

  Compliance check uses the same devices as everything else in RME.  However, you need to make sure your template is configured to match the specific device types that you want to check.  When you define your baseline template, you must choose one or more device types.  Make sure you've checked all of the appropriate boxes (e.g. Routers and Switches and Hubs).

• Different behavior with aaa configuration

  Hi Guys,
  Does anyone know if there is any difference in the way the following command is interpreted in different IOS release?
  aaa authorization exec default local group <group-name>
  I have observed different behaviour with the same set of configuration as foll0w;
  - 03.03.05SE  on a 3650 switch: here the switch only allow local user to login to the device, the radius user always fails( well unless i change the configuration to xx..default radius local)
  - 15.0(2) on 2960: Here i can login both with local user and radius user with the same configuration.
  Any thoughts?

  Hi,
  I would not be surprised specially since the 3560 is running IOS-XE vs the 2960 runs IOS.
  HTH

• AAA configuration and Linksys Wireless Access Point

  Hi,
  Can we authenticate Linksys Wireless Access Point thru ACS  TACACS+ or RADIUS ? If yes , please tell me the config steps.
  Thnaks .
  Anil K.

  Hi,
  Can we authenticate Linksys Wireless Access Point thru ACS  TACACS+ or RADIUS ? If yes , please tell me the config steps.
  Thnaks .
  Anil K.
  Check out the below link for Linksys with Radius server authentication:-
  http://forevergeeks.com/setup-linksys-router-with-radius-server-authentication-2
  Hope to Help !!
  Ganesh.H
  Remember to rate the helpful post

• AAA and MD5 Configuration on SIP Calls

  Olease can anyone help in AAA and MD5 configuration on Cisco 3640 running SIP. My carrier told me that the only way that my calls can be Authenticated is thru AAAor MD5, eg -
  Host:
  Authentication ID:
  Secret:
  Please I need your help thank you in advance.
  Knmezi

  MD5 authentication works similarly to plain text authentication, except that the key is never sent over the wire. Instead, the router uses the MD5 algorithm to produce a "message digest" of the key (also called a "hash"). The message digest is then sent instead of the key itself. This ensures that nobody can eavesdrop on the line and learn keys during transmission.
  These protocols use MD5 authentication:
  OSPF
  RIP version 2
  BGP
  IP Enhanced IGRP
  For AAA configuration refer to following url;
  http://www.cisco.com/en/US/products/sw/secursw/ps2138/products_configuration_example09186a008017ee15.shtml

• Configuring AAA to include local auth for Console connections

  Recently realized, during a maintenance window, that my AAA configurations are not set to use local authentication if the AAA server is unavailable. Could use a little help in making sure I have the correct setup. Below is what I have configured today:
  aaa new-model
  aaa authentication login default group tacacs+
  aaa authentication enable default group tacacs+
  aaa authorization auth-proxy default group tacacs+ 
  aaa accounting commands 15 default start-stop group tacacs+
  tacacs-server host x.x.x.x
  tacacs-server timeout 120
  tacacs-server directed-request
  tacacs-server key <key>

  Would I add that as a separate line, or to the current one? Examples:
  aaa new-model
  aaa authentication login default group tacacs+
  aaa authentication enable default group tacacs+
  aaa authorization auth-proxy default group tacacs+ 
  aaa accounting commands 15 default start-stop group tacacs+
  aaa authorization console
      OR
  aaa new-model
  aaa authentication login default group tacacs+
  aaa authentication enable default group tacacs+
  aaa authorization auth-proxy default group tacacs+ console
  aaa accounting commands 15 default start-stop group tacacs+

• Configuring AAA in ACE using ANM

  Hi guys
  Is there a way to do this? I cant find anywhere how to configure the AAA parameters for the ACE CLI access using the ANM. I know where to configure AAA for the ANM access, but not for the ACE devices.
  thx in advance!
  Omar M

  Hi Omar,
  Is there a way to change the interface that the ACE uses for TACACSs requests?
  The interface to be used for the AAA request is chosen based on the routing table, so, unless the server is in a vlan directly connected to the ACE, you can define which interface to be used by configuring a static route towards the server.
  Also, there's gonna be a request for each context right?
  The AAA configuration is done on a per-context basis, so, each context will handle connections arriving to it following its own configuration settings.

• Aaa New format configuation on IOS and Nexus-OS based devices ?

  Dear all,
  I have been working on an assignment to get our TACACs servers  standardized and to change the old format  aaa configs to the new  standard before the old format gets deprecated.
  I have many multiple IOS based model devices such as 2350, 2821,  3650,   Firewalls, Nexus based 3048s 3064s  and 7010s
  However,   I have tried the new format on both the IOS based 2350s and also on  the Nexus based 3048s which has error on both cases
  our plan is to move to the new style of aaa configuration and at  least to have one standard format configuration for IOS based devices  and one other standard format for Nexus based devices.
  •Our tacacs appliances are crashing on AD authentication on a fairly  regular basis. And I was wondering as to where to get resource on  Cisco.com to see if we are on the latest version. Can you point me  resource where I can find the latest version so that I will be able to  compare it with what we have
  Also if you have a forum recommendation for me to get help on this and other related staff that will be a huge help.
  probably we might need to upgrade our IOS for example the below new  aaa config format didn’t work?  when I tried it on 2350 based on  flash:/c2350-lanlite-mz.122-46.EY/c2350-lanlite-mz.122-46 version any  suggestion here?
  I have attached the sample config I have been trying to use-- If you have a better configuration suggestion let me know? Thanks a million for the help!
  Abe
  With Regards,
  Abe

  Yes, the focus with ML is certainly on trying to get people who have iOS devices to switch to using Apple computers.
  For long-time devotees of OS X like us, there's not much in it. Snow Leopard was still a far more versatile and more widely compatible OS than either 10.7 or 10.8. If you're on 10.6.8. I would think twice about upgrading.
  However, I think if you're on 10.7 already, it's worth upgrading to 10.8, simply because ML seems to be more stable and more refined. They have fixed some of the annoying things in Lion (like you can now put Devices back to the top of the Finder sidebar, Resume is turned off by default, 'Save As' has been resurrected, Launchpad actually has a filter bar etc etc.). Some of the apps are better too - some nice new features in Preview for editing and Safari has an all-in-one address/search bar).
  More features are advertised explained here: http://www.apple.com/osx/whats-new/features.html

• AAA Authorization named authorization list

  Ladies and Gents,
  Your help will be greatly appreciated – I am currently studying CCNP Switch AAA configuration and I work with a tacacs+ server at work butI having difficulty getting my head around the below
  Cisco.com extract below
  When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.
  Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be performed. The only exception is the default method list (which is named "default"). If the aaa authorization command for a particular authorization type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, local authorization takes place by default.
  My question is how do you define the Named Method List i.e. the none-default method list?
  I don't mean the cisco switch config but how the list is created, is this on the tacacs+ server and the referred to in the CLI?
  Any help would be much appreciated as I have read over tons of documents and I can’t see how this is created
  Thanks in advance
  David

  Hi David,
  An example of a named AAA list might look something like this:
  aaa authorization exec TacExec group AAASrv local
  In the example above, I've created a AAA authorization list for controlling shell exec sessions called "TacExec", which will check the remote AAA servers in the group "AAASrv" first; if the device receives no response from the remote servers, it will then atempt to validate the credentials via the local user database. Please remember that a deny response from the AAA server is not the same as no reposonse, the device will only check the local user database if an only if it recieves nothing back from the TACACS query.
  Of course, before you create this method list, you need to define the TACACS servers via the "tacacs-server" command, and then add those servers to the group via the "aaa group server" command.
  Below is a cut and paste from the AAA section on one of my devices:
  aaa new-model
  ip tacacs source-interface
  tacacs-server host 10.x.x.x key 7
  tacacs-server host 10.x.x.y key 7
  aaa group server tacacs+ TacSrvGrp
  server 10.x.x.x
  server 10.x.x.y
  aaa authentication login default local
  aaa authentication login TacLogin group TacSrvGrp local
  aaa authorization console
  aaa authorization config-commands
  aaa authorization exec default local
  aaa authorization exec TacAuth group TacSrvGrp local
  aaa authorization commands 0 default local
  aaa authorization commands 0 TacCommands0 group TacSrvGrp local
  aaa authorization commands 1 default local
  aaa authorization commands 1 TacCommands1 group TacSrvGrp local
  aaa authorization commands 15 default local
  aaa authorization commands 15 TacCommands15 group TacSrvGrp local
  aaa accounting exec default start-stop group TacSrvGrp
  aaa accounting commands 15 default start-stop group TacSrvGrp
  aaa session-id common
  Notice that for the various authentication and authorization parameters, there is a named method list as well as a default method list. As per Cisco's documentation, a aaa method list called default (that you explicitly define) will apply to all input methods (con, aux, vty, etc) unless you set a named method list on the particular input line (see below):
  line con 0
  exec-timeout 5 0
  line aux 0
  exec-timeout 5 0
  line vty 0 4
  exec-timeout 15 0
  authorization commands 0 TacCommands0
  authorization commands 1 TacCommands1
  authorization commands 15 TacCommands15
  authorization exec TacAuth
  login authentication TacLogin
  transport input ssh
  For the console and aux inputs, I only ever want to use local credentials for AAA purposes (ie: If I have to connect on an out-of-band interface, something is potentially wrong with the network connectivity), however for the VTY lines (SSH sessions in this instance), I always want to use the TACACS servers first, with local user credentials as a fallback mechanism.
  One thing you need to be VERY mindful of when configuring your devices for AAA is the order of the commands that are entered. It is a relatively simple matter to lock yourself out from the device management if you don't pay close attention to the specific order that the commands are entered. Typically, I will first do a "show user" just to find out which VTY line that I'm connected on, and when I assign the named AAA method lists to the VTY lines, I normally leave the line that I'm on at the default (local), then I open a second session to the device, authenticate using my TACACS credentials, and complete the config on the remaining VTY line.
  Keep in mind that there are some other parameters that you can define at the tacacs-server level (timeout value is a good one to look at) which you can use to enhance the AAA performance somewhat.
  Hope this helps!

• ASA in MultiContext mode and AAA

  Hi
  have two firewalls (ASA5540, ver8.2); one configured in multi mode (called A) and second configured in single mode (called B).
  Have Cisco ACS setup to perform AAA for both firewalls. Both (A,B) can authenticate using ACS (tacacs+) no problem. Local cauthorization is setup as fallback if ACS does not work.
  For firewall A (single mode) the ACS can perform authentication, authorization and accounting. Have setup a readonly and full access groups in ACS to provide readonly (only limited show commands available) and full access (read write) to firewalls. This works very well.
  Firewall B (in multimode) can provide authentication and accounting OK (not alll accounting info but some login messages are available), but cannot provide authorization. Simple, that option is not available in ASDM (user setup/AAA) and only LOCAL is available for authorization.
  Entering from CLI "aaa authorization command TACACS-ACS LOCAL" on firewall B, the message back say that only tacacs+ and local methods are available.
  Entering "aaa authorization command tacacs+ local" on firewall B, the message back say that local method is not defined but tacacs+ argument does not bring any errors.
  Bellow are commands entered in firewall A and are working fine:
  aaa-server RADIUS-ACS protocol radius
  aaa-server RADIUS-ACS (inside) host 1.1.1.2
  key xxxxx
  aaa-server TACACS-ACS protocol tacacs+
  aaa-server TACACS-ACS (inside) host 1.1.1.2
  key xxxxx
  aaa authentication ssh console TACACS-ACS LOCAL
  aaa authentication http console TACACS-ACS LOCAL
  aaa authentication enable console RADIUS-ACS LOCAL
  aaa authorization command TACACS-ACS LOCAL
  aaa accounting ssh console RADIUS-ACS
  aaa accounting command TACACS-ACS
  aaa accounting telnet console RADIUS-ACS
  Questions: is multimode firewall behive different then singel mode when it comes to AAA?
  If it does, how to setup AAA on multicontext firewall? Thur system, admin or individual contexts?
  What command(s) are missing from bellow to make multicontext authorized by AAA?
  i am trying to avoid entering autheorization commands and levels on every context individually.
  Constructive feedback appreciated.
  Regards,

  Hello,
  I guess you will have to configure the AAA configuration on individual contexts.
  The following link throws some light on the same.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml
  It says:
  The system execution space does not support any  AAA commands, but you can configure its own enable password, as well as  usernames in the local database to provide individual logins.
  Hope this helps.
  Regards,
  Anisha
  P.S.: Please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.