AAA & SSH question

Similar Messages

• AAA Config Questions

  Hello,
  I'm looking to understand AAA commands better and different ways to setup it up. I've looked at the manuals but get lost mostly because it's boring to read. Is there a resource or a site that breaks this down in a better format that other folks have found helpful?
  Thanks,

  I'm not trying to do anything particular just yet, except learn a little more about them. I apologize for being vague. For example when I look at some of our configs I'm trying to understand what exactly does a command do. Take the first one for ex. I researched it some and the manual just confused me more than helped me on what this really does. I understand setting up SSH and doing simple things as I just passed the CCENT but studying for that didn't get down in the weeds on a lot of topics I feel I should know. Is this a method list? I'm not sure as I just read about that term today. I'm more of a visual learner so seeing some type of flow chart would make more sense like if a switch had "aaa authentication password-prompt PASSCODE---->" this command X..Y..and Z happens because of this. That type of thing. 
  aaa authentication password-prompt PASSCODE---->………...
  aaa authentication login default group radius local
  aaa authentication dot1x default group radius
  aaa authorization exec default group radius local
  aaa authorization network default group radius
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  Thanks

• AAA ordering question

  Hi can someone explain to me how the WLC (4402) decides which server to use for AAA?
  I have two servers set up as AAA servers, One with a server index of 1 and the other with an index of 2
  Index 1 =  x.x.x.70
  Index 2 =  x.x.x.38
  Under the AAA tab of one of my wlans I have them listed as:
  Server 1 = x.x.x.38
  Server 2 = x.x.x.70
  Is it the Index number thats the deciding factor? or is it the order in which they are listed under the AAA tab in the wlan config page?
  Cheers
  Dylan

  Hi,
  There are two ways to set the priority of the Radius server. If you have the Radius servers defined under the WLAN the server defined as Server 1 will be used first, Server 2 will be used second, and so on. If you don't have the Radius servers listed under the WLAN they will be used in the order they are listed in the global config (index number).
  The Radius fallback configuration will also come into play.  If you have Radius fallback disabled when the primary Radius server fails the controller will start using the secondary but it won't move back to the primary until either the secondary fails or the controller is rebooted. If you have it enabled the controller will start using the primary server when it becomes available again.
  So on top of my head these are the things whic are coming..
  Can you please check the failed logs on the server to make sure there aren't any messages about the requests from the controller?  Could be that the shared secret key isn't matching or the controller isn't defined in the server.
  Even try pinging the server from WLC and see the connectivity..
  or even..
  check if there is any firewall problem between the WLC and the RADIUS server.
  Lemme know if this answered your question!!
  Regards
  Surendra
  ====
  Please dont forget to rate the usefull post which answered your question or was helpfull

• SFTP and SSH question.

  Currently I have a headless OS X Client running Crush FTP over SSH (SFTP) for our work SFTP server this is separate from our main OS X G5 server box.
  I can't seem to SSH into the SFTP server via the terminal in order to manage it an poke around like I do with our server.
  I am about to setup a little OS X server at home and want SFTP access from it, as I can't justify a seperate box, but I also want to be able to SSH into the box from the outside world too.
  I am firstly wondering what the issue is with my Crush FTP server as to wether I will experience the same problem at home.
  The 2nd question is can OS X run FTP over SSH (SFTP) with the built in server admin tools and if so is it as easy as Crush FTP to manage?
  I will be using ACL's so I guess I could restrict access down that way.
  Thoughts, comments, suggestions and explanations very much welcome as I can't find much to answer the above.

  Hi: Port 115 is generally used for SimpleFTP. SecureFTP or FTPS uses port 989 and 990. This might help.
  Tony

• AAA Authentication Question

  Here is the config I have on a switch:
  aaa authentication login default group tacacs+ local
  aaa authentication login vtylogin group tacacs+ local
  aaa authentication login conlogin group tacacs+ enable none
  aaa authentication enable default tacacs+ enable
  Now here are my issues:
  1- When I login from console my login from Tacacs works, but when I type "enable" and try to use my Active Directory password it does not work.  Then I try the enable password, it does not work.  However if I change the 4th Line to "aaa authentication enable default enable", I can proceed using the enable password.
  2- My second issue is when I SSH into the switch, I only want it to use the tacacs server and only use local database when the tacacs is not available.  However even when tacacs is available I am still able to log into it using the local user account.  I am assuming that is by design?  Is there a way to stop that if it is not by design?

  But it won't use you local database unless your tacacs+ server is unavailable so I really don't see the problem.
  If the router uses your local database to authenticate then there is a communication problem with your tacacs+ server so he is using the next method listed in your command which is local database. As I said before do a debug aaa authentication and you will see the router is attempting to communicate with the tacacs+ server and only if it times out then is he going to use an alternative method if it is listed in method list.

• Terminal SSH question

  Hi, i'm trying to SSH into my ATV2 in order to install xbmc.
  In my efforts, i managed to muck up my ssh commands in terminal.
  when i try to log in to root, i get;
  /Users//.ssh/config: line 2: Bad configuration option: as;ldfkj
  /Users//.ssh/config: line 3: Bad configuration option: j;ljk
  /Users//.ssh/config: line 4: Bad configuration option: ls
  /Users//.ssh/config: terminating, 3 bad configuration options
  What command do i need to type in order to clear out those configuration options?
  thanks in advance!!

  Edit: I just looked at the original post again, because I was wondering how SSH could be of any use to someone who doesn't understand the shell, and I realized that you're asking for help in hacking a jailbroken AppleTV. This isn't the place for that. Go back to the site where you found the hack and ask your question there.

• Authentication aaa certificate question

  I have tunnel-group configured with "authentication aaa certificate", when Client is trying connected and failed due to "No valid certificate available for authentication", I would expect the connection will be terminated but for some reasons it gives you a second chance and asks to enter AAA credentials.  Is that a normal fallback behavior?  How to stop ASA to give a second chance in this scenario?
  Thanks

  Thanks for taking time to look into it Portu!
  Here is the tunnel-group config
  sh run tunnel-group  USERTunnelGroup
  tunnel-group USERTunnelGroup type remote-access
  tunnel-group USERTunnelGroup general-attributes
  address-pool USERDHCPPool1
  authentication-server-group SSL-VPN
  default-group-policy USERGP
  tunnel-group USERTunnelGroup webvpn-attributes
  customization USERCustom
  authentication aaa certificate
  group-alias /USERTunnelGroup disable
  group-alias USERTunnelGroup disable
  group-alias Full_Tunnel disable
  group-alias WIndows7_MAC disable
  group-url enable
  See attachment for debug outputs.
  Here is the group-policy:
  sh run group-policy USERGP
  group-policy USERGP internal
  group-policy USERGP attributes
  wins-server value
  dns-server value
  vpn-access-hours none
  vpn-simultaneous-logins 3
  vpn-idle-timeout 45
  vpn-session-timeout none
  vpn-filter none
  ipv6-vpn-filter none
  vpn-tunnel-protocol ssl-client ssl-clientless
  split-tunnel-policy tunnelall
  split-tunnel-network-list none
  default-domain value
  vlan none
  nac-settings none
  smartcard-removal-disconnect enable
  webvpn
    url-list value USER
    filter none
    homepage none
    anyconnect ssl dtls enable
    anyconnect mtu 1406
    anyconnect firewall-rule client-interface public none
    anyconnect firewall-rule client-interface private none
    anyconnect keep-installer installed
    anyconnect ssl keepalive 20
    anyconnect ssl rekey time none
    anyconnect ssl rekey method none
    anyconnect dpd-interval client 10
    anyconnect dpd-interval gateway 10
    anyconnect ssl compression deflate
    anyconnect profiles value USERVPNCLient type user
    anyconnect ask none default webvpn
    customization value USERCustom
    activex-relay enable
    url-entry enable
    smart-tunnel auto-signon disable
    anyconnect ssl df-bit-ignore disable
    always-on-vpn profile-settingup enable

• SSH Question

  Running Solaris 10 on SPARC
  How can I find the current version of ssh running?
  svcs -l ssh does not return version information
  Does Sun have it's own SSH (flavor) or does Sun use openSSH??
  Thanks

  Run the following command to find the version of SSH on the host : $ ssh -VNote that it's a capital "V".
  Yes, Sun uses it's own version of SSH. Version 1.0 (which is out of the box) is based on OpenSSH 2.3 while version 1.1 is based on 3.5p1. There's more information on this in the SSH project page at the OpenSolaris.org site.
  Cheers,
  Erick Ramirez
  Melbourne, Australia

• Ssh to iMac from my PC with graphic applications

  How can I ssh to my iMac from my window PC?
  I am using SecureCRT + Xming to ssh to my iMac, but I could not open the graphic applications (e.g. xv) through ssh. (I can do it when ssh to a Linux machine though).
  Do I have to setup something in my iMac machine?
  Is there any window software (other than SecureCRT + Xming) that can help me to do that?
  Thanks.

  Generally speaking, you tunnel your X11 X-Windows session by starting the ssh session using the -X (capital X) or -Y (capital Y) ssh command line option. This establishes an X11 tunnel, and on the remote system associates your DISPLAY environment variable with the remote end of the ssh tunnel. Typically DISPLAY looks something like localhost:14.0
  I do not know how to tell your SecureCRT + Xming setup to export your X11 display server's DISPLAY environment to Mac OS X.
  I also assume you have an X11 display server running on your Windows PC.
  Note: Terminal, Unix, command line (such as ssh) questions are best asked in the Mac OS X Technologies > Unix Forum
  <http://discussions.apple.com/forum.jspa?forumID=735>

• Is it possible to support 1 Certificate for each WLAN???

  Hello all and thank you in advance for your assistance....
  We are moving forward with a mobility project which requires our network to authenticate/authorize based on certificates.  Here are the a couple of scenarios we need advice on...
  Background:   WLAN_1 has 802.1x enabled passing the cert through to the MS CA which authorizes the cred, which in turn passes the AD creds of the user to the MS RADIUS server for authenticate/authorization.
  Hardware: WLC 5508 running 7.2.110.0 3600 APs ACS 5.2 not used for AAA
  Issue/Questions...
  1. As we turn up additional SSIDs, we need Mobile SSID to accept ONLY the Mobile Cert, our Internet SSID to only accept the Internal Cert and our GUEST SSID to deny ANY Cert issued by our CA.
  I know ISE makes this much easier, but I dont have it and need this to work as best we can until next fiscal cycle....Any assistance is greatly appreciated

  Stephen - please correct me if I am wrong -
  WLC -
  1. For the given SSID point the WLC to the ACS 5.2 server for AAA
  ACS -
  1. Define the WLC as a AAA client in ACS under Network Resources tab
  2. Create an external ID store using Cert Auth Profile
       - define the attribute to check (CN=)
  3. Create a custom session condition to examine the Cert Dictionary for the Attribute CN=
  4. Create a device filter for the WLC
  5. Create an Authorization Network Access Authorization Profile
       - however since I am only checking the cert I dont need any RADIUS values for Identity
  6. Create access policy with authorization criterion for Cert Dict = cn = "value" result = Permit
  Is this even close?

• Passing SCP password in a script

  Dear all,
  I am passing a file from one server to another using scp. It asks for password to do with the command
  scp -r /file_path/filename 10.10.80.80:/target_path, I want to schedule it in a script, how can I pass the password to scp in a script, or is there a way ro pass the password for as scp as argument in its command.
  Regards,
  Charan

  For example: use curl to copy the file testme.txt from aaa.example.com to bbb.example.com, using account name oracle
  Connect to host aaa:
  $ ssh [email protected]
  Create a known entry (fingerprint) for bbb.example.com in the ssh .known_hosts file:
  $ ssh [email protected]
  Are you sure you want to continue connecting (yes/no)? yes
  (Warning: Permanently added 'bbb.example.com' (RSA) to the list of known hosts.
  Create a test file and copy it to bbb.example.com using curl
  $ echo "must not be empty" > testme.txt
  $ curl -T testme.txt -u oracle:your_password scp://bbb.example.com/u02/backup
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
    0     0    0     0    0     7      0     29 --:--:-- --:--:-- --:--:--    29Note: you will need a recent version of curl to support scp.

• Diamond question mark boxes instead of unicode via ssh in term.

  Terminal and iTerm both show the diamond shaped question mark box (instead of the proper unicode when I am SSHed into a remote machine. For the most part this is just a cosmetic issue, though it's annoying when I am trying to read non-english messages on IRC, etc.
  irssi (for example) running locally displays everything properly: http://dl.dropbox.com/u/62449/localirssiunicode.png
  Over ssh I get this: http://dl.dropbox.com/u/62449/sshirssiwat.png
  The local terminal is set to utf8, and all the default encodings are selected, but playing with them doesn't seem to help much.
  I hope I am posting this in the right place.

  The general approach at this time is to ask if you've checked for any problematic fonts (all languages) with Apple's Font Book (look in the Applications folder). Find and remove all duplicates also.
  Start there to be sure all fonts that are in play come out with a clean bill of health.
  Don't hesisate to perform wholesale deletion of old and/or little used fonts - be skeptical of anything that has come from Office 2008, including those related to an Equation Editor installation.
  By all means be sure any 3rd party apps AND plug-ins are Snow Leopard compatible.
  An additional measure is to clear the existing font caches:
  http://www.macworld.com/article/139383/2009/03/fontcacheclear.html
  That said, 10.6.2 release notes have this to say about fonts:
  http://support.apple.com/kb/HT3874
  Fonts fixes provided for:
  • an issue with font spacing
  • an issue in which some Fonts are missing
  • font duplication issues
  • an issue with some PostScript Type 1 fonts not working properly
  Good luck in any case.

• Advanced Network Question - SSH tunneling through time capsule

  Hi!
  I have a small question. I just got a time capsule the other day and things are working great with it. At home, internet speeds are what they should be and everything is fine. I replaced it with a linksys, which I consistently got 6.5/1 up. After replacing it, I'm now getting 7.5 down/1mbps up, which is what I am subscribed to.
  I used to ssh into my linux box and tunnel web traffic over SSH so when I'm on the road, other's can't sniff my traffic. Basically, I setup firefox to use a socks server, then ssh into home with a dynamic port mapping.
  On the linksys (wrt54g), this worked great, and the speeds were acceptable (about 1mbps down/1mbps up). However, after switching the linksys with the time capsule, it seems like the speeds have slowed down tremendously. I'm now getting about 200k down and 1 mbps up when I ssh and tunnel web traffic through my home.
  I know that this isn't anything people normally do, but it works great and prevents people from spying on my web traffic when I'm away from home. I was just wondering if anybody has any ideas on why it might be slower now that I replaced it with the time capsule.
  Thanks!

  Hello H Salk. Welcome to the Apple Discussions!
  Enabling NAT on any Internet router, not just the AirPort & Time Capsule, will affect data transfer rates (in both directions) to devices connected either by wire or wireless to that router.

• Integrating AAA Radius-server with Micro-soft IAS for SSH

  Hi,
  I am configuring aaa-server on ASA-5505(Radius) and i am Using microsoft IAS for authentication for SSH connections on ASA, so during " test aaa-server authentication " i getting this message
  ERROR: Authentication Server not responding: AAA decode failure.. server secret mismatch
  All users are there on active  directory  And below are the debug radius and debug aaa authentication.
  ASA# test aaa-server authentication SSH-TULIP-ASA host 172.16.1.10 usern$
  INFO: Attempting Authentication test to IP address <172.16.1.10> (timeout: 12 seconds)
  radius mkreq: 0xd4
  alloc_rip 0xd83bb99c
      new request 0xd4 --> 124 (0xd83bb99c)
  got user 'praveeny'
  got password
  add_req 0xd83bb99c session 0xd4 id 124
  RADIUS_REQUEST
  radius.c: rad_mkpkt
  RADIUS packet decode (authentication request)
  Raw packet data (length = 66).....
  01 7c 00 42 37 a4 0d c2 d3 10 09 0e 2f 3c c5 1a    |  .|.B7......./<..
  4b 28 41 e6 01 0a 70 72 61 76 65 65 6e 79 02 12    |  K(A...praveeny..
  a1 8f e1 ae 58 dd c2 52 d6 37 f7 32 13 3a 1c 71    |  ....X..R.7.2.:.q
  04 06 ac 1e 1e 06 05 06 00 00 00 0e 3d 06 00 00    |  ............=...
  00 05                                              |  ..
  Parsed packet data.....
  Radius: Code = 1 (0x01)
  Radius: Identifier = 124 (0x7C)
  Radius: Length = 66 (0x0042)
  Radius: Vector: 37A40DC2D310090E2F3CC51A4B2841E6
  Radius: Type = 1 (0x01) User-Name
  Radius: Length = 10 (0x0A)
  Radius: Value (String) =
  70 72 61 76 65 65 6e 79                            |  praveeny
  Radius: Type = 2 (0x02) User-Password
  Radius: Length = 18 (0x12)
  Radius: Value (String) =
  a1 8f ERROR: Authentication Server not responding: AAA decode failure.. server secret mismatch
  Tulip-ASA# e1 ae 58 dd c2 52 d6 37 f7 32 13 3a 1c 71    |  ....X..R.7.2.:.q
  Radius: Type = 4 (0x04) NAS-IP-Address
  Radius: Length = 6 (0x06)
  Radius: Value (IP Address) = 172.30.30.6 (0xAC1E1E06)
  Radius: Type = 5 (0x05) NAS-Port
  Radius: Length = 6 (0x06)
  Radius: Value (Hex) = 0xE
  Radius: Type = 61 (0x3D) NAS-Port-Type
  Radius: Length = 6 (0x06)
  Radius: Value (Hex) = 0x5
  send pkt 172.16.1.10/1645
  rip 0xd83bb99c state 7 id 124
  rad_vrfy() : bad req auth
  rad_procpkt: radvrfy fail
  RADIUS_DELETE
  remove_req 0xd83bb99c session 0xd4 id 124
  free_rip 0xd83bb99c
  radius: send queue empty
  Thanks in advance all comments and suggestion are welcome
  Regards,
  Praveen

  Hi,
  RADIUS as a protocol does not support command accounting, ie., logging of commands that a users enters once authenticated to a router/switch. You will need to use TACACS+ for this purpose. The aaa command accounting commands that you used has been removed from IOS since 12.2T. Please take a look at this for details: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCdp57020.
  Thanks,
  Wen

• Basic N1 SSH config questions...

  At the risk of asking remedial questions, are these actions correct?: <p>
  <li> When generating SSH keys, I am to generate one set with the ID used to install/owner of the MS (agent, server, cli)? (i cant remember now if cli installed w/ the master seerver or not, i think it did)</li><p>
  <li> I am to create a second user and generate keys, and place this users pub key into the authorized_keys2 file of the first user (product install/owner of MS) </li><p>
  <li>How do I tell N1 about the existance of this second user? Is this what pe.defaultUserToRunAs is for? I cannot find this in the docs. </li><p>
  <li> According to previous postings, root ssh'ing is required for OSP. This makes no sense to me when the agent can be owned by a non-root user, yet can execute native commands with root priv.</li><p>
  <li>The docs state that SSH forwarding works downstream, but can it use loop back to the master server?</li><p>
  <li>Why do I see the product use a root shell to CLI back to the Master server (OSP question)? Should this be happening?</li><p>
  Thanks for everyones help.
  <p>
  Pete.

  At the risk of asking remedial questions, are these
  actions correct?: <p>
  <li> When generating SSH keys, I am to generate one
  set with the ID used to install/owner of the MS
  (agent, server, cli)? (i cant remember now if cli
  installed w/ the master seerver or not, i think it
  did)</li><p>True for MS/LD/RA as they always run with the same uid. CLI works best, if always invoked as the install owner. If the CLI is invoked as any other user, then there are couple options,
  one is to make sure that each user has their ssh keys configured so that the connection from their machine to the MS machine with their ssh credential succeeds.
  Another is to configure CLI to always a single identity to connect to the MS. For security reasons, you may want this identity to be different from the MS install owner. If you look at the ssh man page, it allows you to override the default uid and identity file locations through options -l & -i.
  Lets say we create a new user spsuser, for CLI authentication.
  We can then generate ssh keys for spsuser and put them in this identity file, lets say /home/spsuser/ssh/identity.
  We can then configure sps CLI to override the ssh credentials that are used when connecting to the MS as
  net.client.parms.1=sshargs=-o|BatchMode yes|-l|spsuser|-i|/home/spsuser/identityThat way CLI will always try to use the same ssh identity regardless of who invokes it. However, since I haven't tested this configuration, I'm not certain if it will work. The one possible issue here is that ssh may complain about the identity file having global read permissions.
  >
  <li> I am to create a second user and generate keys,
  and place this users pub key into the
  authorized_keys2 file of the first user (product
  install/owner of MS) </li><p>Nope, the keys always belong to the same user, unless you are overriding the default user to the first user when running ssh as the second user.
  >
  <li>How do I tell N1 about the existance of this
  second user? Is this what pe.defaultUserToRunAs is
  for? I cannot find this in the docs. </li><p>I think you are talking about the CLI here. In this case you'll be running the CLI as the second user, right? In that case all you need to do is to make sure that the second user is able to connect to the MS machine from the CLI machine using ssh, without requiring any user interaction.
  >
  <li> According to previous postings, root ssh'ing is
  required for OSP. This makes no sense to me when the
  agent can be owned by a non-root user, yet can
  execute native commands with root priv.</li><p>The ability to run native commands as root is only available when the agent is running as root. Otherwise the plan that tries to run exec native as root will fail if the agent that its running on is not running as root.
  >
  <li>The docs state that SSH forwarding works
  downstream, but can it use loop back to the master
  server?</li><p>Not sure I understand the question. downstream here implies from the machine invoking ssh client to the machine thats running the ssh daemon. I don't think ssh would care if the the ssh daemon was connected to via any IP address or loopback...
  >
  <li>Why do I see the product use a root shell to CLI
  back to the Master server (OSP question)? Should
  this be happening?</li><p>My opinion is that CLI doesn't need to run as root for most of its functionality. The only case where it may need to run as root is when the files that its trying to checkin are only readable by root. However, it may make sense make those file readable by the CLI user instead of running CLI as root in that case. Don't know if it makes sense to have OSP run the CLI as a non-root user instead..
  hth,
  Aj