AAA on 6513
Guys,
The following configuration for authentication and authorization doesn't work on 6513 alone. But same configuration is working on 100+ CAT switches. I have verified that ACS server is reachable from 6513 and entry is available for 6513 on ACS server. Interestingly no entries for failures in logs (6513 / ACS)! Is something missing in the config?
aaa new-model
aaa group server tacacs+ name1
server ACSserver1
server ACSserver2
aaa authentication login default group name1 local
aaa authentication enable default group name1 enable
aaa authorization exec default group name1 if-authenticated
ip http authentication aaa
tacacs-server host ACSserver1
tacacs-server host ACSserver2
no tacacs-server directed-request
tacacs-server key xxxxx
Appreciate help,
-Satishcp
Hi,
The aaa config looks good but is the Switch able to resolve the names ?
I guess we need aaa authentication and tacacs debugs to see whats going on.
Regards,
Vivek
Similar Messages
-
Hi,
My Catalyst 6513 have the following error message :
%AAAA-3-SUBTYPE: Bad Subtype [dec] for "[chars]" ([dec])
The Error Message Decoder metion :
An internal software error has occurred.
Recommended Action: Copy the error message exactly as it appears on the console or in the system log, contact your Cisco technical support representative, and provide the representative with the gathered information.
Related documents- No specific documents apply to this error message.
Is it the hardware problem or software bug?
Best Regards,
Jackson KuJackson, best is to contact TAC, they should be able to decipher more accurately what it means and wheather is hardware or software.. but this sounds more of a software as %AAAA are TACACS authentication related messages with level 3 error condition based on this link.
http://www.cisco.com/en/US/docs/ios/12_1/system/message/emdover.html
http://www.cisco.com/en/US/docs/ios/12_1/system/message/emdaaaa.html#wp1025091 -
Hi, folks.
While having trouble getting my AC power supply cord to power up the 'book (the cord wires were broken and the power would only flow if the cord were held in one position) the battery eventually was
exhausted and the 'book shut down.
This interruption caused the desktop menu, labels, and submenus, to all be labeled AAAAAAAAA....etc.
The A's appear within box (square) shapes. For example the word 'view' looks like this AAAA but in boxes.
I tried to rebuild the desktop but that didn't help. I wanted to trash the desktop preferences, but since everything is labeled AAAAAAA I can't find them! Even the master OS disk (Tiger) is littered with AAAAAA's! I can read the internet ok, however.
What's going on?Hi Ddale53, and a warm welcome to the forums!
http://discussions.apple.com/thread.jspa?messageID=7629337�
http://discussions.apple.com/thread.jspa?threadID=856498&tstart=195 -
We seem to be having an issue recently after introducing new Windows Server 2012 R2 servers where they fail to register DNS correctly. The Windows Firewall is off and the servers are on the same VLAN with no firewalls between them.
When I do an ipconfig /registerdns or wait 24 hours for the system to try we get the following error:
The system failed to register host (A or AAAA) resource records (RRs) for network adapter
with settings:
Adapter Name : {4A0ECF05-193F-4BEA-AA46-BEC593BA752B}
Host Name : SRV-DATA
Primary Domain Suffix : internal.local
DNS server list :
192.168.0.50, 192.168.0.42
Sent update to server : <?>
IP Address(es) :
192.168.0.99
The reason the system could not register these RRs was because the DNS server contacted refused the update request. The reasons for this might be (a) you are not allowed to update the specified DNS domain name, or (b) because the DNS server authoritative
for this name does not support the DNS dynamic update protocol.
To register the DNS host (A or AAAA) resource records using the specific DNS domain name and IP addresses for this adapter, contact your DNS server or network systems administrator.
On our DNS server we have set for the internal.local zone Secure Updates only so that looks good because it is Active Directory that should be handling this authentication to update the record I assume. Just to mention that when also doing an ipconfig /regsiterdns
the update fails within a few seconds.
Source: DNS Clients Events
Event ID: 8018
User: NETWORK SERVICE
This issue is only affecting Windows Server 2012 R2 clients and testing with Windows Server 2008 R2 clients works no issues. So is this a mis-configuration or a bug with Windows 2012 R2? I have checked all DNS settings on client / server which all look good
to me so reaching out now to see if anyone has any ideas?
Environment:
- Windows Server 2012 R2 Domain Controllers (Forest/Domain Levels 2012 R2)
- Windows Server 2012 R2 Client machines (Physical and Virtual)
- Windows Server 2008 R2 Client machines (Physical and Virtual)The zone is configured as "Secure Only"
The PDC is the SOA for the zone
I dont have a packet capture from the DC, only the client.
The query you asked me to run is too long to paste in here, however this is the DNS zone it cannot update:
NotifyServers :
SecondaryServers : {10.2.0.3, 10.2.0.5}
AllowedDcForNsRecordsAutoCreation :
DistinguishedName : DC=internal.local,cn=MicrosoftDNS,DC=ForestDnsZones,DC=internal,DC=local
IsAutoCreated : False
IsDsIntegrated : True
IsPaused : False
IsReadOnly : False
IsReverseLookupZone : False
IsShutdown : False
ZoneName : internal.local
ZoneType : Primary
DirectoryPartitionName : ForestDnsZones.internal.local
DynamicUpdate : Secure
IsPluginEnabled : False
IsSigned : False
IsWinsEnabled : False
Notify : NoNotify
ReplicationScope : Forest
SecureSecondaries : TransferToSecureServers
ZoneFile :
PSComputerName :
CimClass : root/Microsoft/Windows/DNS:DnsServerPrimaryZone
CimInstanceProperties : {DistinguishedName, IsAutoCreated, IsDsIntegrated, IsPaused...}
CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemProperties -
issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login
issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login
-
VPN Client and AAA services on a Cisco ISR Router
Hi, my name is Jim, and I was just promoted as a trainer for the company I work for. Part of my new challenge is understanding how the configuration files in both my Terminal Services/VPN Router and Core Router work, so for many of you, these questions are going to seem very fundamental, but please help, I am an instructor in training. I hold a CCNA, CCNA-Wireless, and a CCSI cert, but I have little working experience in building and maintaining a lab....hence the need for this inquiry.
So to my questions. In our lab environment, we have a router that acts as our terminal services router and VPN router. Each laptop that connects to the lab has the Cisco VPN client loaded onto it, as well as my laptop that I teach from. My questions are these:
1. What parts of the AAA output of the running configuration tell me how to configure the VPN clients on my laptops?
2. I am using crypto key generate RSA at 1024 bits on the VPN/TS router, so does that tell me how to configure some part of the client?
3. In our lab, we are going to use a direct connection to an AP to get connected to the network, and how will the absence of an Internet connection affect the settings on the VPN client, or will they?
4. Are there helpful articles I can read that will answer some or all of these questions?
Thanks in advance,
JimHi Jim,
congratulations
Assuming a basic setup, your router will have something like this:
crypto isakmp client configuration group MyGroup
key cisco123
So on the client, you configure it to use MyGroup as the group name, and cisco123 as the (group) password.
I'm not sure I understand your question #3 and what you mean by "AP" (Access Point? So WiFi?). In any case you don't need Internet access per se, as long as you have network (IP) connectivity between the host running the vpnclient and the VPN router.
Does this help?
Herbert -
How to survive an ACS audit with aaa-reports!
For many organisations the Cisco Secure ACS server is the guardian of the network - controlling administrative access to routers and switches plus overseeing end network users over VPN, wireless and firewall.
Its no surprise therefore that it should come under intense scrutiny during an audit. Perhaps what is surprising is the lack on awareness over best practice for running ACS in a secure way. We'd like to help in our small way and below is a list of tips we've picked up over the years of providing reporting services for ACS.
Buy aaa-reports! Of course we would say that... But without the ability to aggregate the logs from all your ACS servers and report on the data, or use our query builder for forensic analysis, or import the ACS database to document the policy features enabled.... you'll have a hard time getting the evidence that an auditor might ask for.
Make sure ACS is logging the appropriate attributes for the reports you need to create. For example if you need to document who did what to devices in specific Network Device Groups (NDG) you must ensure this value actually gets logged. Performing ACS upgrades often sets logging configs back to their defaults.
Create a build specification for your ACS. Detail the "meta config" of your ACS so that after an emergency hardware swap-out or software upgrade you can quickly check that the ACS has the correct configuration. The build spec document should be under version control and is a useful item in itself to convince an auditor your system is well controlled.
Create a Change Control system for config changes on the ACS. Since its ACS that decides who gets access and what commands they run on your network its vital you report on the Administration Audit logs. During an audit you can then correlate entries in your change control system with actual edits recorded in the Admin Audit logs. aaa-reports! can document what all or individual ACS admins did in detail.
Retain 2 years of actual CSV log data on your reporting server. For general day-to-day reporting you dont need this amount, but during an audit you may be required to show what happened on a specific historic date. aaa-reports! multi-db feature will allow you to create a specific back-end database just for this task and import logs from the required time period. Alternatively use the aaa-reports! snapshot feature to regularly save its database state, for example quarterly. You may then connect aaa-reports! to any of the historic snapshot databases to report on the data from that quarter.
Regularly export the ACS database into aaa-reports! If you are running reports against log data from 2 years ago you also need to know what was in the ACS database at the same time - using a more recent ACS database might yield unexpected results because the configuration is likely to changed in the meantime. Usecsvsync to regularly grab the ACS database and keep them alongside the retained CSV logs for future reference.
Review the quality of ACS log data. From time to time its worth taking a look at the quality of the data getting logged. We often find customers with rogue scripts being automated on devices that cause the ACS Failed Attempts logs to become full of many MBs of "junk data" - essentially one failed attempt for each line of the script. If left to continue for months the real data starts to become more difficult to find.
In terms of specific questions that an audit will concentrate on, typically it will revolve around demonstrating that not only is there specific and adequate policy to control access to those parts of the network require it, but also to seek evidence that those policies are in fact working. In aaa-reports! we added a whole set of reports for TACACS+ Device Administration (TDA) that attempt to document the ACS policy configuration, answer questions such as "who can/cannot access devices and once connected what can they do?" and finally report on what did actually happen.
Below are some additional TDA specific tips:
Ensure services such as shell/exec are only enabled for ACS groups that really need it. The aaa-reports! TDA Group Summary report will list every ACS group and what TDA features are enabled. The TDA Group Detailreport can be used to inspect the policy in detail.
Check for user-level ovverides. In general users should always inherit policy from their group unless there is good reason. The aaa-reports! TDA User Summary report list users with group overriden configuration. The TDA User Detail report can be used to inspect what policy items are specific to the user.
Use Network Access Restrictions (NAR) to prevent login by unauthorised personnel. The first line of defence is to only allow device admin users access to routers and switches. We find some customers rely purely on command authorisation - this potentially lets anyone access the device who can authenticate. Imagine the scenario where ACS has "unknown authentication" enabled pointing at your Windows AD then answer "Who has access?". aaa-reports! can report group-by-group on device access controlled by NARs and therefore answer "Who has access to device XYZ?"
Use Device Command Sets (DCS) for command authorisation. Create a set of re-usable DCSs with meaningful names in preference to simple group-level command authorisations. ACS administration is simplified and the auditor should understand what the intent of the policy is by its name. aaa-reports! can document the both the content of each DCS and the group assignments, thereby answering the question "What commands can user X execute on device XYZ?"
Seek out and remove old ACS user accounts. aaa-reports! can report on inactive users both from examination of accounting logs and (if password aging is enabled) from the imported ACS database itself.
Learn how to use the aaa-reports! Query Builder. Despite the comprehensive set of pre-built canned reports, during an audit you are likely to be asked questions about a specific date, user or device. Knowing how to use the QB to build filter/sort and group/totalling queries will get the answers quickly. Take the random question "How many sessions did user X have on devices A, B and C on this date?" The aaa-reports! QB can easily create custom reports that filter on any number of attribute values, group by multiple columns and have calculated fields such as sum, count, average etc. If you have a working knowledge of Visual Basic 6 (VB6) its also possible to use a rich array of formatting and other VB6 functions to create additional fields.
The above list is of course by no means definitive as every customer will have their own specific needs from ACS and face different levels of compliance. Undergoing an audit is never easy, but at least with the right tools it doesnt have to be awful!
For more infomation on extraxi aaa-reports! or to download our free 60 day trial version please visit http://www.extraxi.com/audit.htm.
-
I have setup ACS 4.2 and when I run
router# test aaa group tacacs+ myuser mypasswd [ legacy | new-code]
Both options work fine
But when I try and login, over telnet, the request reaches the aaa server, but returns fail !
My commands are :-
tacacs-server host xx.xx.xx.xx single-connection port 49
tacacs-server key xxxxxxxxxxx
aaa authentication banner ^CUnauthorized access forbidden^C
aaa authentication username-prompt "Enter Username: "
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
I dont see the banner NOR the "Enter Username:" prompt.
Also a debug aaa authentication and debug aaa subsys show that the request reaches AAA, but it simply returns fail
I had the same issue in 5.1, but that was due to the tacacs+ single-connection not being set or something similar, and the error
there was "shared secret does not match", on the AAA server logs
I am still new to 4.2, so am still trying to determine where the log files are etc, but since it works with the test command, I cant
seem to understand why it fails with telnet
Any idea why this may be happning ?
ThanksI tried both the sugestion.. no luck
Below are th eoutput of debug, with some lines in BOLD to help you
find interesting lines in the log output.
Thanks
fixeddemo#sh run | inc tacacs
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
ip tacacs source-interface FastEthernet0/1
tacacs-server host 10.1.7.15
tacacs-server key xxxxxxxxxx
fixeddemo#sh debugging
General OS:
TACACS+ events debugging is on
TACACS+ authentication debugging is on
TACACS+ packets debugging is on
AAA Authentication debugging is on
AAA Subsystem debugs debugging is on
fixeddemo#
Jun 17 14:15:54.666: AAA/BIND(00000072): Bind i/f
Jun 17 14:15:54.666: AAA/AUTHEN/LOGIN (00000072): Pick method list 'default'
Jun 17 14:15:54.666: AAA SRV(00000072): process authen req
Jun 17 14:15:54.670: AAA SRV(00000072): Authen method=SERVER_GROUP tacacs+
Jun 17 14:15:54.670: TPLUS: Queuing AAA Authentication request 114 for processin
g
Jun 17 14:15:54.670: TPLUS: processing authentication start request id 114
Jun 17 14:15:54.670: TPLUS: Authentication start packet created for 114()
Jun 17 14:15:54.670: TPLUS: Using server 10.1.7.15
Jun 17 14:15:54.670: TPLUS(00000072)/0/NB_WAIT/45585278: Started 5 sec timeout
Jun 17 14:15:54.674: TPLUS(00000072)/0/NB_WAIT: socket event 2
Jun 17 14:15:54.674: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Jun 17 14:15:54.674: T+: session_id 3123693045 (0xBA2FC5F5), dlen 24 (0x18)
Jun 17 14:15:54.674: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
Jun 17 14:15:54.674: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:10 (0xA
) data_len:0
Jun 17 14:15:54.674: T+: user:
Jun 17 14:15:54.674: T+: port: tty515
Jun 17 14:15:54.674: T+: rem_addr: 10.1.1.216
Jun 17 14:15:54.674: T+: data:
Jun 17 14:15:54.674: T+: End Packet
Jun 17 14:15:54.674: TPLUS(00000072)/0/NB_WAIT: wrote entire 36 bytes request
Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: Would block while reading
Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: read entire 12 header bytes (expect
16 bytes data)
Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: read entire 28 bytes response
Jun 17 14:15:54.674: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Jun 17 14:15:54.674: T+: session_id 3123693045 (0xBA2FC5F5), dlen 16 (0x10)
Jun 17 14:15:54.674: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:10, data_len:0
fixeddemo#
Jun 17 14:15:54.674: T+: msg: Username:
Jun 17 14:15:54.674: T+: data:
Jun 17 14:15:54.678: T+: End Packet
Jun 17 14:15:54.678: TPLUS(00000072)/0/45585278: Processing the reply packet
Jun 17 14:15:54.678: TPLUS: Received authen response status GET_USER (7)
Jun 17 14:15:54.678: AAA SRV(00000072): protocol reply GET_USER for Authenticati
on
Jun 17 14:15:54.678: AAA SRV(00000072): Return Authentication status=GET_USER
fixeddemo#
Jun 17 14:15:58.794: AAA SRV(00000072): process authen req
Jun 17 14:15:58.794: AAA SRV(00000072): Authen method=SERVER_GROUP tacacs+
Jun 17 14:15:58.794: TPLUS: Queuing AAA Authentication request 114 for processin
g
Jun 17 14:15:58.794: TPLUS: processing authentication continue request id 114
Jun 17 14:15:58.794: TPLUS: Authentication continue packet generated for 114
Jun 17 14:15:58.794: TPLUS(00000072)/0/WRITE/47194394: Started 5 sec timeout
Jun 17 14:15:58.794: T+: Version 192 (0xC0), type 1, seq 3, encryption 1
Jun 17 14:15:58.794: T+: session_id 3123693045 (0xBA2FC5F5), dlen 10 (0xA)
Jun 17 14:15:58.794: T+: AUTHEN/CONT msg_len:5 (0x5), data_len:0 (0x0) flags:0x0
Jun 17 14:15:58.794: T+: User msg:
Jun 17 14:15:58.794: T+: User data:
Jun 17 14:15:58.794: T+: End Packet
Jun 17 14:15:58.794: TPLUS(00000072)/0/WRITE: wrote entire 22 bytes request
Jun 17 14:15:58.798: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:15:58.798: TPLUS(00000072)/0/READ: read entire 12 header bytes (expect
16 bytes data)
Jun 17 14:15:58.798: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:15:58.798: TPLUS(00000072)/0/READ: read entire 28 bytes response
Jun 17 14:15:58.798: T+: Version 192 (0xC0), type 1, seq 4, encryption 1
Jun 17 14:15:58.798: T+: session_id 3123693045 (0xBA2FC5F5), dlen 16 (0x10)
fixeddemo#
Jun 17 14:15:58.798: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
Jun 17 14:15:58.798: T+: msg: Password:
Jun 17 14:15:58.798: T+: data:
Jun 17 14:15:58.798: T+: End Packet
Jun 17 14:15:58.798: TPLUS(00000072)/0/47194394: Processing the reply packet
Jun 17 14:15:58.798: TPLUS: Received authen response status GET_PASSWORD (8)
Jun 17 14:15:58.798: AAA SRV(00000072): protocol reply GET_PASSWORD for Authenti
cation
Jun 17 14:15:58.798: AAA SRV(00000072): Return Authentication status=GET_PASSWOR
D
fixeddemo#
Jun 17 14:16:02.502: AAA SRV(00000072): process authen req
Jun 17 14:16:02.502: AAA SRV(00000072): Authen method=SERVER_GROUP tacacs+
Jun 17 14:16:02.502: TPLUS: Queuing AAA Authentication request 114 for processin
g
Jun 17 14:16:02.502: TPLUS: processing authentication continue request id 114
Jun 17 14:16:02.502: TPLUS: Authentication continue packet generated for 114
Jun 17 14:16:02.502: TPLUS(00000072)/0/WRITE/47194394: Started 5 sec timeout
Jun 17 14:16:02.502: T+: Version 192 (0xC0), type 1, seq 5, encryption 1
Jun 17 14:16:02.502: T+: session_id 3123693045 (0xBA2FC5F5), dlen 14 (0xE)
Jun 17 14:16:02.502: T+: AUTHEN/CONT msg_len:9 (0x9), data_len:0 (0x0) flags:0x0
Jun 17 14:16:02.502: T+: User msg:
Jun 17 14:16:02.502: T+: User data:
Jun 17 14:16:02.502: T+: End Packet
Jun 17 14:16:02.506: TPLUS(00000072)/0/WRITE: wrote entire 26 bytes request
Jun 17 14:16:02.550: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:16:02.550: TPLUS(00000072)/0/READ: read entire 12 header bytes (expect
6 bytes data)
Jun 17 14:16:02.550: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:16:02.550: TPLUS(00000072)/0/READ: read entire 18 bytes response
Jun 17 14:16:02.550: T+: Version 192 (0xC0), type 1, seq 6, encryption 1
Jun 17 14:16:02.554: T+: session_id 3123693045 (0xBA2FC5F5), dlen 6 (0x6)
fixeddemo#
Jun 17 14:16:02.554: T+: AUTHEN/REPLY status:2 flags:0x0 msg_len:0, data_len:0
Jun 17 14:16:02.554: T+: msg:
Jun 17 14:16:02.554: T+: data:
Jun 17 14:16:02.554: T+: End Packet
Jun 17 14:16:02.554: TPLUS(00000072)/0/47194394: Processing the reply packet
Jun 17 14:16:02.554: TPLUS: Received authen response status FAIL (3)
Jun 17 14:16:02.554: AAA SRV(00000072): protocol reply FAIL for Authentication
Jun 17 14:16:02.554: AAA SRV(00000072): Return Authentication status=FAIL
fixeddemo#
[ The output below is for the next Username: prompt I believe]Jun 17 14:16:04.554: AAA/AUTHEN/LOGIN (00000072): Pick method list 'default'
Jun 17 14:16:04.554: AAA SRV(00000072): process authen req
Jun 17 14:16:04.554: AAA SRV(00000072): Authen method=SERVER_GROUP tacacs+
Jun 17 14:16:04.554: TPLUS: Queuing AAA Authentication request 114 for processin
g
Jun 17 14:16:04.554: TPLUS: processing authentication start request id 114
Jun 17 14:16:04.554: TPLUS: Authentication start packet created for 114()
Jun 17 14:16:04.554: TPLUS: Using server 10.1.7.15
Jun 17 14:16:04.554: TPLUS(00000072)/0/NB_WAIT/47194394: Started 5 sec timeout
Jun 17 14:16:04.558: TPLUS(00000072)/0/NB_WAIT: socket event 2
Jun 17 14:16:04.558: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Jun 17 14:16:04.558: T+: session_id 2365877689 (0x8D046DB9), dlen 24 (0x18)
Jun 17 14:16:04.558: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
Jun 17 14:16:04.558: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:10 (0xA
) data_len:0
Jun 17 14:16:04.558: T+: user:
Jun 17 14:16:04.558: T+: port: tty515
Jun 17 14:16:04.558: T+: rem_addr: 10.1.1.216
Jun 17 14:16:04.558: T+: data:
Jun 17 14:16:04.558: T+: End Packet
Jun 17 14:16:04.558: TPLUS(00000072)/0/NB_WAIT: wrote entire 36 bytes request
Jun 17 14:16:04.558: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:16:04.558: TPLUS(00000072)/0/READ: Would block while reading
Jun 17 14:16:04.562: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:16:04.562: TPLUS(00000072)/0/READ: read entire 12 header bytes (expect
43 bytes data)
Jun 17 14:16:04.562: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:16:04.562: TPLUS(00000072)/0/READ: read entire 55 bytes response
Jun 17 14:16:04.562: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Jun 17 14:16:04.562: T+: session_id 2365877689 (0x8D046DB9), dlen 43 (0x2B)
Jun 17 14:16:04.562: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:37, data_len:0
Jun 17 14:16:04.562: T+: msg: 0x0A User Access Verification 0x0A 0x0A Usernam
e:
fixeddemo#
Jun 17 14:16:04.562: T+: data:
Jun 17 14:16:04.562: T+: End Packet
Jun 17 14:16:04.562: TPLUS(00000072)/0/47194394: Processing the reply packet
Jun 17 14:16:04.562: TPLUS: Received authen response status GET_USER (7)
Jun 17 14:16:04.562: AAA SRV(00000072): protocol reply GET_USER for Authenticati
on
Jun 17 14:16:04.562: AAA SRV(00000072): Return Authentication status=GET_USER
fixeddemo# -
How to use 2 AAA server for different login purpose
Hello, could you help me?
This is a part of my configuration; I would like to add another TACACS server, witch should take care of the telnet at vty 0 4.
The Tacacs server 10.20.30.40 takes care of the virtual access, and I have another Tacacs server who takes care of login on our network equipment.
! Cisco 7204 with system flash c7200-io3s56i-mz.121-4.bin
aaa new-model
aaa authentication login default group tacacs+
aaa authentication login no_tacacs enable
aaa authentication ppp default group tacacs+
aaa authorization exec default group tacacs+
aaa authorization network default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
virtual-profile virtual-template 1
virtual-profile aaa
interface Serial2/0:15
description ISDN30
no ip address
encapsulation ppp
no ip route-cache
no keepalive
dialer pool-member 10
isdn switch-type primary-net5
isdn tei-negotiation first-call
isdn caller xxxxxxx
no fair-queue
compress stac
no cdp enable
ppp authentication chap
ppp multilink
interface Virtual-Template1
ip unnumbered FastEthernet1/0
ip nat outside
ppp authentication chap
tacacs-server host 10.20.30.40 key ********
line con 0
exec-timeout 20 0
password ************
login authentication no_tacacs
transport input none
flowcontrol hardware
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 60 0
password *************
login authentication no_tacacs
transport input telnet
transport output telnet
If I just add
aaa authentication login vtymethod group tacacs+ enable
tacacs-server host 10.50.60.70 key ********
line vty 0 4
login authentication vtymethod
My telnet request ask 10.20.30.40 and I have a deny! Could you help to make a secure solution?
ThanksJens
I believe that your solution would be to configure a different tacacs server group with the new server in the new group and to use the new group to authenticate for your vty. The config might look something like this:
aaa group server tacacs+ vty_TAC
server 10.50.60.70
aaa authentication login vtymethod group vty_TAC enable
tacacs-server host 10.50.60.70 key ********
I have configured this type of thing and it worked well. When I configured it I explicitly configured (and named) two different TACACS server groups and referenced specific server groups for each authentication method. I am not clear whether it works to keep the default group tacacs+ and use it for your normal authentication or whether you may need to configure a non-default group for it.
Give it a try and let us know what happens.
HTH
Rick -
Long question.
I am running a main program loop of 60 msec. At one point in the loop I create a 64 element array of delay times. At that point I need to begin outputting a predefined single pulse to each of the 64 lines on my PCI-6513. Each line outputs the pulse with a starting delay set by the "delay time" in the array.
Each delay time is such that the pulses will be done before the next loop commands another one.
Thank You
RogerHi,
You have multiple ways of doing this, since there is no timing engine on the 6513 your code is going to control the output of the card, which is what we called “software timed”. If you take a look at the example called: “Write Dig Chan.vi”, you can individually control each line.
So to change the state of the line; since you have an array of delays time you can aid yourself with “stacked sequence structure” where in each frame you control the time it takes to go to the next frame and the data been written to the card.
Another option is using a state machine where each state write the data you want and you can also control the time between states. For further references take a look at this article Application Design Patterns: State Machines.
I hope it helps
Jaime Hoffiz
National Instruments
Product Expert
Digital Multimeters and LCR Meters -
Is it possible to Configure VPC Between N5010 and 6513
Hello Gents,
Please let me know if we can configure VPC Between N5010 and 6513(coreswitch).
IF Yes, Does it have any loops or abnormal traiffc behaviour ?
Please refer the attached mail for current network diagram
1) I would like to establish VPC Between N5010 and Cisco 6513 switch
2) if yes, Does the upstream devices above 6513 core switch will forward the traffic from all the
6513 ports connected to N5000 ports or 6513 will send traffic from one up link and block other
uplink ports as part of STP.
3) Is VSS on 6513 is required for Point #1
Please refer some links on this as well.
Appreciate your quick response.
Thanks and Regards,
KA.Hi Karim ,
You can use this one - you can consider your 6k the FEX as in this example
http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/configuration_guide_c07-543563.html
On the portchannel to 6k will not configure :
"switchport mode fex-fabric"
"fex associate 100"
This configuration in indended to be used with FEX.
Regards
Dan -
DCDIAG /test:dns result is pested here.
C:\Users\administrator.SUD>dcdiag /test:dns
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = MUM-ADS-01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\MUM-ADS-01
Starting test: Connectivity
......................... MUM-ADS-01 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\MUM-ADS-01
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
......................... MUM-ADS-01 passed test DNS
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : sud
Running enterprise tests on : sud.in
Starting test: DNS
Test results for domain controllers:
DC: MUM-ADS-01.sud.in
Domain: sud.in
TEST: Basic (Basc)
Warning: The AAAA record for this DC was not found
TEST: Forwarders/Root hints (Forw)
Error: Root hints list has invalid root hint server:
a.root-servers.net. (198.41.0.4)
Error: Root hints list has invalid root hint server:
b.root-servers.net. (128.9.0.107)
Error: Root hints list has invalid root hint server:
c.root-servers.net. (192.33.4.12)
Error: Root hints list has invalid root hint server:
d.root-servers.net. (128.8.10.90)
Error: Root hints list has invalid root hint server:
e.root-servers.net. (192.203.230.10)
Error: Root hints list has invalid root hint server:
f.root-servers.net. (192.5.5.241)
Error: Root hints list has invalid root hint server:
g.root-servers.net. (192.112.36.4)
Error: Root hints list has invalid root hint server:
h.root-servers.net. (128.63.2.53)
Error: Root hints list has invalid root hint server:
i.root-servers.net. (192.36.148.17)
Error: Root hints list has invalid root hint server:
j.root-servers.net. (192.58.128.30)
Error: Root hints list has invalid root hint server:
k.root-servers.net. (193.0.14.129)
Error: Root hints list has invalid root hint server:
l.root-servers.net. (198.32.64.12)
Error: Root hints list has invalid root hint server:
m.root-servers.net. (202.12.27.33)
TEST: Delegations (Del)
Error: DNS server: sud-ad.sud.in. IP:<Unavailable>
[Missing glue A record]
TEST: Records registration (RReg)
Network Adapter
[00000006] Intel(R) PRO/1000 MT Network Connection:
Warning:
Missing AAAA record at DNS server 10.1.6.132:
MUM-ADS-01.sud.in
Warning:
Missing AAAA record at DNS server 10.1.6.132:
gc._msdcs.sud.in
Warning:
Missing AAAA record at DNS server 10.1.6.133:
MUM-ADS-01.sud.in
Warning:
Missing AAAA record at DNS server 10.1.6.133:
gc._msdcs.sud.in
Warning: Record Registrations not found in some network adapters
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: 128.63.2.53 (h.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 128.63.2.53
DNS server: 128.8.10.90 (d.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 128.8.10.90
DNS server: 128.9.0.107 (b.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 128.9.0.107
DNS server: 192.112.36.4 (g.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.112.36.4
DNS server: 192.203.230.10 (e.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.203.230.10
DNS server: 192.33.4.12 (c.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.33.4.12
DNS server: 192.36.148.17 (i.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.36.148.17
DNS server: 192.5.5.241 (f.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.5.5.241
DNS server: 192.58.128.30 (j.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.58.128.30
DNS server: 193.0.14.129 (k.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 193.0.14.129
DNS server: 198.32.64.12 (l.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 198.32.64.12
DNS server: 198.41.0.4 (a.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 198.41.0.4
DNS server: 202.12.27.33 (m.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 202.12.27.33
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
Domain: sud.in
MUM-ADS-01 PASS WARN FAIL FAIL PASS WARN n/a
......................... sud.in failed test DNSHi Meinolf,
Please find the IP Details as well as DNS test results.
C:\Users\Administrator.SCI>dcdiag /test:dns
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = MDCDCDNS
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: MDC-Powai\MDCDCDNS
Starting test: Connectivity
......................... MDCDCDNS passed test Connectivity
Doing primary tests
Testing server: MDC-Powai\MDCDCDNS
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
ERROR: NO DNS servers for IPV6 stack was found
......................... MDCDCDNS passed test DNS
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : sci
Running enterprise tests on : sci.com
Starting test: DNS
Test results for domain controllers:
DC: MDCDCDNS.sci.com
Domain: sci.com
TEST: Basic (Basc)
Warning: The AAAA record for this DC was not found
TEST: Records registration (RReg)
Network Adapter
[00000009] Microsoft Virtual Network Switch Adapter:
Warning:
Missing AAAA record at DNS server 10.64.7.32:
MDCDCDNS.sci.com
Warning:
Missing AAAA record at DNS server 10.64.7.32:
gc._msdcs.sci.com
Warning:
Missing AAAA record at DNS server 10.64.7.35:
MDCDCDNS.sci.com
Warning:
Missing AAAA record at DNS server 10.64.7.35:
gc._msdcs.sci.com
Warning:
Missing AAAA record at DNS server 10.20.33.72:
MDCDCDNS.sci.com
Warning:
Missing AAAA record at DNS server 10.20.33.72:
gc._msdcs.sci.com
Warning:
Missing AAAA record at DNS server 10.20.33.71:
MDCDCDNS.sci.com
Warning:
Missing AAAA record at DNS server 10.20.33.71:
gc._msdcs.sci.com
Warning: Record Registrations not found in some network adapters
MDCDCDNS PASS WARN PASS PASS PASS WARN n/a
......................... sci.com passed test DNS
C:\Users\Administrator.SCI>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : MDCDCDNS
Primary Dns Suffix . . . . . . . : sci.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : sci.com
Ethernet adapter Local Area Connection 7:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : External Internal Virtual Network
Physical Address. . . . . . . . . : 00-14-4F-CA-83-AC
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.64.7.32(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.64.7.1
DNS Servers . . . . . . . . . . . : 10.64.7.32
10.64.7.35
10.20.33.72
10.20.33.71
NetBIOS over Tcpip. . . . . . . . : Disabled
Ethernet adapter Local Area Connection 6:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TEAM : Team #1
Physical Address. . . . . . . . . : 00-14-4F-CA-83-AC
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Autoconfiguration IPv4 Address. . : 169.254.105.163(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Local Area Connection* 8:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{2D5A4A27-298F-48E5-A376-EA886EF1E
42A}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 9:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{14FA7CD4-8B69-4C86-A58B-056793B7D
901}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Please check and revert back for any queries..
Thanks...
Deva Self-trust is the first secret of success. -
How to set the Context path to AAA/BBB in Weblogic 5.1?
Hi folks,
I want to deploy a web application and set the servlet context as:
AAA/BBB. Put more simply, my application should be accessible via the
following:
http:localhost:7001/AAA/BBB/main.jsp
where http://localhost:7001/AAA/BBB maps to my document root.
One work around is to set the context to AAA:
weblogic.httpd.webApp.AAA=WebAppLocation
And in the deployment descriptor (web.xml) to register all servlets
with a BBB/ prepended to the desired alias:
<servlet-mapping>
<servlet-name>main</servlet-name>
<url-pattern>BBB/main.jsp</url-pattern>
</servlet-mapping>
But this solution does not work for me. Parts of the application refer
the context root (AAA) and create URLs relative to that. These URLs
will not have the BBB part. Searching for it in the code and replacing
it is not desirable (we do not own the code). Does anyone have any
suggestions?
Thanks in advance,
Musafir
What you have done for changing the context root to "/" is all fine but it is important to know that there is a ROOT.war in the deploy folder of JBoss which by default gets bound to "/" context. You must be getting the error message like "Web mapping already exists for deployment" when you would be starting your JBoss server after changing your context root to "/". So either you can completely remove the ROOT.war from the deploy folder or change the context-root of ROOT.war by updating its web.xml like:
<web-app>
<display-name>Welcome to JBoss</display-name>
<description>
Welcome to JBoss
</description>
*<context-param>*
*<param-name>context-root</param-name>*
*<param-value>/jboss-root</param-value>*
*</context-param>*
<servlet>
<servlet-name>Status Servlet</servlet-name>
<servlet-class>org.jboss.web.tomcat.service.StatusServlet</servlet-class>
</servlet>
</web-app>
and also update the jboss-web.xml of ROOT.war:
<jboss-web>
<security-domain>java:/jaas/jmx-console</security-domain>
*<context-root>/jboss-root</context-root>*
</jboss-web>
I hope this serves your purpose.
There can be a workaround also by modifying the index.html of ROOT.war in the deploy folder of your server and redirect request to your web application using meta refresh like:
<meta http-equiv="refresh" content="0;URL='/store'"> -
Aaa New format configuation on IOS and Nexus-OS based devices ?
Dear all,
I have been working on an assignment to get our TACACs servers standardized and to change the old format aaa configs to the new standard before the old format gets deprecated.
I have many multiple IOS based model devices such as 2350, 2821, 3650, Firewalls, Nexus based 3048s 3064s and 7010s
However, I have tried the new format on both the IOS based 2350s and also on the Nexus based 3048s which has error on both cases
our plan is to move to the new style of aaa configuration and at least to have one standard format configuration for IOS based devices and one other standard format for Nexus based devices.
•Our tacacs appliances are crashing on AD authentication on a fairly regular basis. And I was wondering as to where to get resource on Cisco.com to see if we are on the latest version. Can you point me resource where I can find the latest version so that I will be able to compare it with what we have
Also if you have a forum recommendation for me to get help on this and other related staff that will be a huge help.
probably we might need to upgrade our IOS for example the below new aaa config format didn’t work? when I tried it on 2350 based on flash:/c2350-lanlite-mz.122-46.EY/c2350-lanlite-mz.122-46 version any suggestion here?
I have attached the sample config I have been trying to use-- If you have a better configuration suggestion let me know? Thanks a million for the help!
Abe
With Regards,
AbeYes, the focus with ML is certainly on trying to get people who have iOS devices to switch to using Apple computers.
For long-time devotees of OS X like us, there's not much in it. Snow Leopard was still a far more versatile and more widely compatible OS than either 10.7 or 10.8. If you're on 10.6.8. I would think twice about upgrading.
However, I think if you're on 10.7 already, it's worth upgrading to 10.8, simply because ML seems to be more stable and more refined. They have fixed some of the annoying things in Lion (like you can now put Devices back to the top of the Finder sidebar, Resume is turned off by default, 'Save As' has been resurrected, Launchpad actually has a filter bar etc etc.). Some of the apps are better too - some nice new features in Preview for editing and Safari has an all-in-one address/search bar).
More features are advertised explained here: http://www.apple.com/osx/whats-new/features.html -
I've setup the TACACS server with two groups
-FULL admin rights
-READ only rights
Two users have been created
-admin_test
-read_test
The admin_test config works fine on AAA but i keep getting stuck with read_test configs. I can never get to enable mode eventhough i've defined it on the group policy. Is there something wrong with my aaa statements below?
aaa authentication login default group tacacs+ line enable
aaa authentication enable default group tacacs+ enable line
aaa authorization exec default if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+Privilege is not scalable in a big environment.
What you need is authorization on the ACS
server. In Cisco Freeware TACACS+ I defined
the following groups: readonly, advanced and
admin:
group = readonly {
default service = deny
cmd = show { deny .* }
cmd = show { permit .* }
cmd = copy { permit .* }
cmd = ping { permit .* }
cmd = enable { permit .* }
cmd = configure { deny .* }
cmd = disable { permit .* }
cmd = telnet { permit .* }
cmd = disconnect { permit .* }
cmd = where { permit .* }
cmd = set { permit .* }
cmd = clear { permit line }
cmd = exit { permit .* }
cmd = debug { permit .* }
group = advanced {
default service = deny
cmd = show { permit .* }
cmd = copy { permit flash }
cmd = copy { permit running }
cmd = ping { permit .* }
cmd = configure { permit .* }
cmd = enable { permit .* }
cmd = disable { permit .* }
cmd = telnet { permit .* }
cmd = disconnect { permit .* }
cmd = where { permit .* }
cmd = set { permit .* }
cmd = clear { permit line }
cmd = exit { permit .* }
cmd = interface { permit .* }
group = admin {
default service = permit
As you can see, admin can access everything,
readonly can only read. Advanced can make
limited changes and admin can do everything.
On the Cisco router, I have the following
configuration:
aaa authentication login notac none
aaa authentication login VTY group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec notac none
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 0 VTY start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting network VTY start-stop group tacacs+
aaa accounting connection VTY start-stop group tacacs+
I find that by doing it this way, it is much
more scalable than using privilege commands
on the router itself.
David
CCIE Security
Maybe you are looking for
-
Functional module table parameters values not getting displayed in Java sys
Hi, We are calling the Table parameter through Java code from functional module ZCRM_ICSS_PROJ_CUST_USR is not giving any rows value .If I execute the same functional module with passing the import parameter value User id: MLDL010 its giving value in
-
Difference between BEx tansport and normal transport
Dear Experts, Could someone please explain the difference between normal transport truck button and the truck with 'BEx' as label. Please let me know the context where these will be using Kind regards Shanthi
-
Setting up FileName for Output file in SendPort
Hi - I have a requirement setting up FileName in output file. For instance say, whatever I receive in the 'FathersName' field that Output File should be with that File Name. For e.g. if data received in FathersName field is JOHN, output file name sho
-
PAYMENT ADVICE --- Very Imp and Very Urgent
Hi experts We have and incoming EDI 820 coming from bank. We convert this EDI 820 to IDOC and generate an PAYMENT ADVICE. Once the Payment advice is generated, how to clear the open customer invoices. Please let me know the tcode for Automatic cleari
-
New to Web Services and BPEL - new hands-on introduction available
If you are new to publishing business logic as a web services, or new to orchestrating web services as BPEL services, then this hands-on will give you a great introduction in taking your fist steps in the SOA world. The hands-on script is available h