AAA login authentication methods

Similar Messages

• NK5 AAA multiple authentication methods??

  It looks Nexus support only one type of authentication at same time
  aaa authentication login default group radius
  Doest it mean we  cannot chain various types authentication like
  aaa authentication login default group radius group tacasc+ none
  Is there any way how to do this??
  It would be bit strange not having this feature
  M.

  Hi,
  I've tried this before, but the ssh connection should go through one by one. line vty 0 -> 1 -> 2 -> 3 -> 4. If no one make the ssh connection before, the connection should on line vty 0. How to make the ssh conenction to specific line vty for particular authentication method? As mentioned before, the router can provide the solution to assiocate the line vty to rotary with different ssh listening ports. As similar solution or other approach for the switch to provide the same kind of services.
  Thanks.
  TL

• Ip http authentication aaa login-authentication doesnt work

  I have "ip tacacs source-interface Vlan1 " in my config because without it enabled I cant ssh in with tacacs. However, with that line in the config, I cant access via https unless I have the line "ip http authentication local"

  For http access , the user should have privilege level 15. This is how you enable it on acs.
  Bring users/groups in at level 15
  1. Go to user or group setup in ACS
  2. Drop down to "TACACS+ Settings"
  3. Place a check in "Shell (Exec)"
  4. Place a check in "Privilege level" and enter "15" in the adjacent field
  Regards,
  ~JG
  Do rate helpful posts

• AAA TACACS for CM GUI login authentication?

  Has anyone successfully implemented TACACS authentication TO the CM GUI?  I have the CM configured for TACACS authentication to the WAE devices GUI and CLI - that works fine with the admin role assigned.  It does not work for authentication to the CM GUI though.  I can login to the CM GUI, but no data is displayed and the configuration pages are not available - (Your account does not have privileges to access any of the Central Manager pages.).
  So, I've created a new role with all the services enabled and applied that instead of the admin role.  The effect is the same.  It works fine for the WAE devices GUI and the CLI but not for the CM GUI.
  What am I missing?  How can I get authentication login to work on the CM GUI AND the data displayed and configuration pages available? 

  Hi David,
  I have tried to understand your problem, but it's a bit confusing.
  You have defined:
  line con 0
  login authentication cisco     #cisco is list-name
  According to command reference for 15.3:  http://www.cisco.com/en/US/partner/docs/ios-xml/ios/security/d1/sec-cr-k1.html#GUID-297BDF33-4841-441C-83F3-4DA51C3C7284
  "cisco" was the list name. What is the configuration of that list-name ?
  (you put only default list-name from your configuration).
  If you want to use line defined password you could do:
  aaa authentication login line-list line
  line con 0
  password cisco
  login authentication line-list
  Regarding question about locally defined password. If you use list which uses "local" method and there is no specific local user - then your access will be always denied.
  If you use list with "tacacs" and then "local" methods - then only when tacacs server is not responsive local username will be queried. But if tacacs server return "authentication failure/bad password" your access will be denied and "local" username will not be checked. This is a bit different then in linux/juniper configuration which will query next authentication method in case of password failure of previous method.
  Please also remember that default AAA list is always overriden by specific list configured under line con 0.
  Michal

• What is the difference between Login authentication using AAA and Login Local

  Hello,
  I am currently studying my CCNA and I am curious as to what is the difference between configuring the below 2 options, which seem to achieve the same outcome to me.
  1).
  Router(config)#username user1 password pass1
  Router(config)#line vty 0 15
  Router(config-line)login local
  Or
  2).
  Router(config)#username user1 password pass1
  Router(config)#aaa new-model
  Router(config)#aaa authentication login LOCAL_AUTH local
  Router(config)#line vty 0 15
  Router(config-line)#login authentication LOCAL_AUTH
  Thanks for your replies

  When only looking at the authentication as you have configured it, you are right. Both do the same thing. But when you activate aaa new-model, you have plenty more options to control how your complete AAA is working. Most important, you can send the authentication to an external Authentication-server with RADIUS or TACACS+ or you can do Authorization where the external server controls what you are allowed to do after you have authenticated.
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• AAA Radius Authentication Queries

  Have quite a few questions for Implementing Radius for my network devices :
  Q.1.) How to safely implement aaa Radius authentication to make sure users have login using LOCAL database incase the Radius fails.
  Q.2.) How to provide only read access for few users and full access to Adminstrators.
  Q 3.) Incase if I save the config ..will it be possible to login to devices through any other alternative way ( assuming both the radius and Local credentials are not working).
  Q 4.) How to recover the password for devices especially firewalls.
  GReat it would be if someone can help me on these queries.. Thanks in advance.
  Regards,
  gHP.

  VSAs are collected by the RADIUS server during the accounting process when AAA is configured with the Debit Card feature. Data items are collected for each call leg created on the gateway. A call leg is the internal representation of a connection on the gateway. Each call made through the gateway consists of two call legs: incoming and outgoing. The call leg information emitted by the gateways can be correlated by the connection ID, which is the same for all call legs of a connection.
  Use the H.323 VSA method of accounting when configuring the AAA application.
  There are two modes:
  •Overloaded Session-ID
  Use the gw-accounting h323 syslog command to configure this mode.
  •VSA
  Use the gw-accounting h323 vsa command to configure this mode.

• Server does not support PLAIN or LOGIN authentication

  I try to send mail via XI Mail adapter. My settings are below
  Transport protocol : SMTP
  Message protocol : XIPAYLOAD
  url : smtp://10.44...
  Authentication Method : Plain
  User : ...
  Password...
  From :
  To : ....
  But i give this error   "server does not support PLAIN or LOGIN authentication"..
  I think I use SSL or something else, but I dont know how to do by using Mail adapter..
  Or Why do i get this error ?
  Thanks

  Hello Tuncer,
  In your case, you need to first enable SSL on your PI server, which requires some effort. Here are the links for SSL configuration for AS ABAP and AS Java:
  http://help.sap.com/saphelp_nw70/helpdata/en/0d/a22640632cec01e10000000a155106/content.htm
  http://help.sap.com/saphelp_nw70/helpdata/en/56/a12640632cec01e10000000a155106/content.htm
  After that, you need to exchange client certificates between your PI and mail server so that the two systems will accept each other's logon tickets. Only after that you can use your mail adapter with SSL. All adapters that run on the adapter engine use Java AS's authentication mechanisms, so SSL should be enabled for your AS Java, you cannot enable it only for the mail adapter.
  I recommend trying this scenario with another mail server that doesn't require SSL first with plain authentication. Then you can go for SSL, but you will probably need an experienced basis guy to help you for the configuration.
  Hope this helps,
  Regards / selamlar
  Gökhan

• ASA to ACS: how to distinguish different authentication methods?

  I have SSL VPN Clients connecting to an ASA 5520 using RADIUS to a backend Cisco ACS. I want to support two authentication options for the clients. The first is a certificate combined with an Active Directory username & password. The second is a token-name & one-time-password.
  Setting these two authentication methods up on the ASA is no problem ... I can configure user selectable connection profiles that have the wanted authentication settings. The ACS can handle both the AD and token credentials.
  Here's the problem. I need to be able to distinguish on the ACS if a connection request was certificate authenticated or not. I don't want users choosing to do a token/OTP connection and then entering in their AD credentials instead. the ACS won't know that this AD authentication request wasn't properly combined with a certificate.
  I've used NAR settings in the past to control what user databases an AAA client can authentication against, however, if the two authentication methods are coming from the same AAA client (the ASA), what can I do?

  I guess this should be possible with a feature called NAP,( network access profiles). Here you can define which database to use for any specific request. We can filter request on the basis of attributes sent in the authentication request.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NAPs.html
  Regards,
  ~JG

• OAM - Authorization based on the authentication method

  We are using OAM 10g for a customer to protect a large number of web application. In order to access those applications a user can chose from several authentication methods (e.g. client certificate, SecureId and mobile TAN). All applications use the same cookie domain and OAM provides SSO to the user. The customer now wants to define access rules for each of the applications based on the chosen authentication method.
  In other words, he wants to have the flexibility to define rules such as the following:
  Application A: Only accessible with client certificates
  Application B: Only accessible with mobile TAN
  Application D: Only accessible with SecureId or mobile TAN
  Application E: Accessible with any authentication method
  In order to implement this with OAM we would have assign each authentication method a different authentication level and define authorization rules that depend on those authentication levels (maybe using a custom authorization plug-in). According to the OAM documentation it doesn't seem possible to reference the authentication level in a authorization rule.
  Does anyone know a way to implement these requirements.
  Any help is appreciated.
  Best regards,
  Donat

  This is how I think we can do this.
  Write Authentication plug-in which adds which authentication scheme was used to login to the application in one of the multivalued attribute in OID. Write Authorization plug-in also which checks this value and makes authentication decision.
  One more approach is, Create as many attributes in OID as number of authentication schemes you have. Each of them is a flag representing whether user is logged in with the authentication scheme or not. When user authenticates using an authentication scheme, turn on that flag. Also flush access server user profiles cache. In the authorization rule, use this flag to make authorization decisions. Using this approach, you do not have to write authorization plugin but this may not be scalable approach as you might have to create a new attribute in OID when new authentication scheme is added.
  You can also keep this information somewhere in database or flat file and use that information in authentication and authorization plugin.
  I hope one of this solutions will help you.
  Thanks
  Kiran Thakkar

• The User Authentication Methode required by this server can't be found.

  Ok, I have a network of iMacs that are bound to OS X Server and the users log in with network based user folders via Kerberos and Open Directory.
  This is all working just fine, and all iMac users have full access to all sheared volumes as per the ACLs...
  My problem is when any of our office laptops that are not bound to the server and run on local user accounts need to login for access to the AFP shared volumes. ALL but one of these Laptops are receiving "The User Authentication Methode required by this server can't be found." Dialog box when attempting to login. They never even have a chance to enter login names or passwords.
  What am I missing? I can't find any settings on this one laptop user account that are any different that the other laptops user accounts...

  Steve can you explain more on how I use this Kerberos.app?
  I opened it on the one laptop that is working and can see one ticket in the Ticket Cache, and below that there is the same ticket listed with two subentries. All of them are listed as Expired at the moment, but then I have not connected to the server with this system since yesterday...
  When I open the App on the systems that don;t work, there are no tickets listed. I clicked on the new button, but the info it's asking for is different than any of the info I found in the working systems Kerberos app... ??? Help.
  It's asking for Name, Realm, Password...

• Switch AAA login authntication issue

  dear all ,
  I have had strange problem since yesterday ,I have got two cisco 4500 core switches clustered,have been configured for aaa radius login authentication(  IAS server). Since yesterday all of sudden , i have problem accessing one switch out of two .Both switches are same model and configured exactly same way .But since yesterday i can only login to one and when i try to login to Core switch1, i get to username and password prompt , when i put my username and password i get ,
  User Access Verification
  Username: MyUsername
  Password:********
  Line has invalid autocommand " ppp negotiate"
  Connection to host lost.
  In my Radius logs, i see that authentication is successful.
  i dont know what has caused this problem , the only thing i did was added a route commnd on both switches yesterday  which has nothing to do with AAA config to cause this problem.I cant login to switch to see any logs in switch .
  Help on this would be greatly appreciated.
  Regards

  How do you connect to the switch via teminal server or ssh/telnet?
  If using terminal server, please check the related line configuration on your terminal server to see if there is any different between working and non-working switches.
  If the same user ID can login to the other switch without problem, I would suggest you to check your IAS server. Did you try to remove / re-add the problem switch back in IAS?

• Reset Authentication method to Exchange 2013 EAC and now I can't get in.

  In trying to work through a list of issues related to Exchange upgrade I inadvertently have locked myself out of the EAC by changing the authentication method.  Is there any way to change it back?

  Hi,
  According to my experience, the ECP login failure issue has many reasons. Thus, to narrow down the cause, we can try to confirm the following information and try the following troubleshooting:
  1. Check the detail information about OWA and ECP virtual directory:
  Get-owavirtualdirectory |fl
  Get-ecpvirtualdirectory |fl
  2. Clear or restart the MSExchangeOWAAppPool
  Thanks,
  If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Angela Shi
  TechNet Community Support

• How to migrate users, which have been using the Windows Authentication method

  Hi everybody,
  I have to migrate a productive SQL Server 2008 Database from one to another different server. The problem is that a lot of users have been using this DB throught the Windows Authentication method. Because the migration should be faster as possible, I would
  like to use a SQL script in order to streamline the process. Does anyone know if it is possible to do it?
  Thank you in advance,
  Regards

  Apart from transfer logins scripts Ashwin and Stan mentioned, I usually run following script in order to re-establish orphan users to establish if any SQL logins.
  set nocount on
  declare @username    sysname,
          @errcode     int
  select @errcode = 0
  select @username = min(name)
  from sysusers (nolock)
  where uid <> gid and
        name not in ('guest', 'sys', 'INFORMATION_SCHEMA') and
        suser_sname(sid) is null and
        issqlrole = 0
  while @username is not null
  begin
     if exists (select 1
                from master.dbo.syslogins (nolock)
                where name = @username)
     begin
        exec sp_change_users_login @Action = 'Update_One',
                                   @UserNamePattern = @username,
                                   @LoginName = @username
        select @errcode = @@error
        if @errcode = 0
           print 'The user ''' + @username + ''' was re-established in database!'
        else
           print 'Failed to re-establish user ''' + @username + ''' in database!'
     end
     else
     begin
        print 'The user ''' + @username + ''' does not have login ID. So, drop it from database!'
        exec sp_dropuser @username
     end
     select @username = min(name)
     from sysusers (nolock)
     where uid <> gid and
           name not in ('guest', 'sys', 'INFORMATION_SCHEMA') and
           suser_sname(sid) is null and
           issqlrole = 0 and
           name > @username
  end
  go

• How to reset endeca authentication method?

  Hi there, I'm using endeca 3.1 on Windows and my endeca Portal just had the admin user ([email protected]) created.
  I've incorrectly changed the authentication method to ID instead of the email (which was the default) and now when I try to login with admin, it gives a message that the user is invalid...
  Is there any way to reset the authentication method back to the default?
  Thanks
  Ygor

  For the default user, "admin" is the user's screen name, not the user ID. That's why you couldn't log in using "admin".
  The user ID is a number.
  I don't know the exact structure of the Studio database, but would it be possible for you to get the user ID for the admin user out of the user table so that you can log in and change the setting back?
  Unless you are logged in to Studio, I don't know how you can could change the setting.

• AAA local authentication

  Hi all,
  I have configured my remote switch with the following AAA local authentication configuration.
  no enable secret
  no username hotel
  no aaa new-model
  username s1umb3r password p3ac3fully
  enable secret tryt0h@ckth!S!s1umb3r
  aaa new-model
  exit
  wr
  After I have saved the configuration, I am not able to login to switch remotely. Please advice me ASAP.
  Now how would I get into router is there any possibility to get into router remotely?
  IOS version 12.0(5)WC8
  Your early response will be highly appreciated.
  Regards,
  Khan

  What does the VTY line have for config?