AAA TACACS for CM GUI login authentication?

Similar Messages

• Aaa authentication using tacacs+ for LAP

  WIth Autonomous AP, you can configure aaa authtentication using Tacacs+.
  In lightweight AP, do u have similar function where u authenticate using tacacs+ when u telnet/ssh into the LAP after it is registered to the WLC?
  Rgds
  Eng Wee

  There really isn't anything you can do on the LAP through telnet/ssh.  You can enable TACACS for access to the controller.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml

• How to use 2 AAA server for different login purpose

  Hello, could you help me?
  This is a part of my configuration; I would like to add another TACACS server, witch should take care of the telnet at vty 0 4.
  The Tacacs server 10.20.30.40 takes care of the virtual access, and I have another Tacacs server who takes care of login on our network equipment.
  ! Cisco 7204 with system flash c7200-io3s56i-mz.121-4.bin
  aaa new-model
  aaa authentication login default group tacacs+
  aaa authentication login no_tacacs enable
  aaa authentication ppp default group tacacs+
  aaa authorization exec default group tacacs+
  aaa authorization network default group tacacs+
  aaa accounting exec default start-stop group tacacs+
  aaa accounting network default start-stop group tacacs+
  aaa accounting connection default start-stop group tacacs+
  virtual-profile virtual-template 1
  virtual-profile aaa
  interface Serial2/0:15
  description ISDN30
  no ip address
  encapsulation ppp
  no ip route-cache
  no keepalive
  dialer pool-member 10
  isdn switch-type primary-net5
  isdn tei-negotiation first-call
  isdn caller xxxxxxx
  no fair-queue
  compress stac
  no cdp enable
  ppp authentication chap
  ppp multilink
  interface Virtual-Template1
  ip unnumbered FastEthernet1/0
  ip nat outside
  ppp authentication chap
  tacacs-server host 10.20.30.40 key ********
  line con 0
  exec-timeout 20 0
  password ************
  login authentication no_tacacs
  transport input none
  flowcontrol hardware
  line aux 0
  line vty 0 4
  access-class 1 in
  exec-timeout 60 0
  password *************
  login authentication no_tacacs
  transport input telnet
  transport output telnet
  If I just add
  aaa authentication login vtymethod group tacacs+ enable
  tacacs-server host 10.50.60.70 key ********
  line vty 0 4
  login authentication vtymethod
  My telnet request ask 10.20.30.40 and I have a deny! Could you help to make a secure solution?
  Thanks

  Jens
  I believe that your solution would be to configure a different tacacs server group with the new server in the new group and to use the new group to authenticate for your vty. The config might look something like this:
  aaa group server tacacs+ vty_TAC
  server 10.50.60.70
  aaa authentication login vtymethod group vty_TAC enable
  tacacs-server host 10.50.60.70 key ********
  I have configured this type of thing and it worked well. When I configured it I explicitly configured (and named) two different TACACS server groups and referenced specific server groups for each authentication method. I am not clear whether it works to keep the default group tacacs+ and use it for your normal authentication or whether you may need to configure a non-default group for it.
  Give it a try and let us know what happens.
  HTH
  Rick

• AAA login authentication methods

  Hello guys,
  I've noticed a strange behaviour with AAA authentication login.
  My AAA configuration for login authentication is: aaa authentication login default group tacacs+ local
  No tacacs server exists, but username and password in local database does. Indeed everything works fine when I log in: aaa authentication login default group tacacs+ local line none
  The problem comes up when I add to the method list line and none authentication methods.
  In this case, when I log into the switch (via console for example), and I'm asked for username, there is no validation of the username, I mean to say, I can put whatever username and been granted access.
  Conclusion: According to my aaa authentication list, method line or none should not be used unless tacacs and local are not available. In this case, local method is available and should fail so login should be rejected, but it jumps to the next method, finally giving access.
  Is this a bug in AAA? or am I misunderstanding something.
  Thanks a lot.

  Only exec-timeout command, so it applies the default list defined by aaa.
  When I remove the none, authentication fails. I've debugged AAA authentication and shows:
  User Access Verification
  Username:
  Jul  5 18:16:48.329 METDST: AAA/BIND(00000035): Bind i/f 
  Jul  5 18:16:49.493 METDST: AAA/AUTHEN/LOGIN (00000035): Pick method list 'default' adsf
  Jul  5 18:16:56.382 METDST: AAA/AUTHEN/LINE(00000035): FAIL - Line password not found
  % Authentication failed
  Username:
  Local authentication method is being bypassed.
  If I configure a password under line con 0, I've access regardless of the username, so no local authentication is being enforced as well.
  Thanks.

• What is the difference between Login authentication using AAA and Login Local

  Hello,
  I am currently studying my CCNA and I am curious as to what is the difference between configuring the below 2 options, which seem to achieve the same outcome to me.
  1).
  Router(config)#username user1 password pass1
  Router(config)#line vty 0 15
  Router(config-line)login local
  Or
  2).
  Router(config)#username user1 password pass1
  Router(config)#aaa new-model
  Router(config)#aaa authentication login LOCAL_AUTH local
  Router(config)#line vty 0 15
  Router(config-line)#login authentication LOCAL_AUTH
  Thanks for your replies

  When only looking at the authentication as you have configured it, you are right. Both do the same thing. But when you activate aaa new-model, you have plenty more options to control how your complete AAA is working. Most important, you can send the authentication to an external Authentication-server with RADIUS or TACACS+ or you can do Authorization where the external server controls what you are allowed to do after you have authenticated.
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• How to set up local server to use a remote server for login authentication?

  Thank you in advance for any help you can offer.
  We are trying to set up a "sub-network" (dont' know if this is the right terminology) using a 10.4 Server OS, to manage a set of clients... the trick is that the client login/home directory information is on a different remote server, and shall remain there, for the most part.
  To make it easy to understand here's the environment:
  *Local Server:* 10.4 G4 Server Quicksilver 1G dual--we have total control of this one
  *Main/remote server:* 10.5 Xserve.. don't know which vintage--we have very very very little input on this machine.. effectively at the mercy of the sysadmin of this system who is very conservative in changing anything (hence the need for a separate server to install applications and client machine-specific profiles, etc since the Xserve admin refuses do it). This serves MacBooks/MacBookPros and few iMacs. (no Windows PC.. as that group of comptuers have their own server)
  client: ~20 eMacs/iBooks all running 10.4.
  use environment: elementary school-->very low network demand (no e-mail, just running local apps linking to server(s) for licensing and login, and some file saving small files on remote server, user preferences, etc).
  The remote server (the Xserve) has all the login authentication, as well as the home directories. every school year, the directories get updated as new students enroll and old students graduate. Currently all the clients are directly linked to the Xserve via LDAP while we bring the local server on-line.
  the local sever (our G4 Quicksilver) will have few network applications that will support the client machines. We also will be setting up computer accounts and groups for our clients so that we can properly set their environments (the Xserve admin will not do this on the Xserve, so currently all the clients are connecting to the server as a "guest computer" from what little I understand watching what was done)
  now, what is the best way to approach this type of set up with minimal "inconvenience" of the Xserve admin?
  I am pretty experienced with standalone UNIX and macOS X administration, but a novice to this whole Server and network setup thing. Any suggestions, instructions, pointers to URLs with how-tos is much appreciated. I am not afraid to use Terminal (grew up on UNIX before GUI), etc., and willing to try safe but unconventional setups if that is what's needed...
  thanks for any help!

  Oh never mind.... I figured it out myself helps to read up on the manuals. d'oh. sorry for the bandwidth waste...

• How do you set up tacacs+ for exec authentication when using WDS???

  I set up tacacs+ authorization on the WDS and it works great. When I tried to set it up on the infrastructure ap1200 I am unable to login unless it is as a locally defined user. I have attached some config info from the infrastructure AP Version 12.2(15)JA. I am using ACS 3.3
  aaa new-model
  aaa group server tacacs+ tac_admin
  server 10.2.57.82
  aaa group server tacacs+ tac_acct
  server 10.2.57.82
  aaa authorization exec default local group tac_admin
  aaa authorization exec ap_exec group tac_admin local
  aaa accounting exec default start-stop group tacacs+ group tac_admin
  aaa session-id common
  dot11 aaa csid unformatted
  dot11 network-map
  dot11 arp-cache optional
  tacacs-server host 10.2.57.82 single-connection port 49 key a-!kGB9qr0H
  tacacs-server directed-request
  wlccp ap username SetrusAdrU password 7 150B3508162B6605176A662303
  line con 0
  line vty 5 15
  authorization exec ap_exec
  I am not receiving any passed or failed logs on the ACS or in the TACACS administration log. Any help would be appreciated.

  Tacacs is working. I added the following lines to the configuration attached to the first post:
  ============================
  aaa authentication login ap_exec_login group tac_admin local
  ============================
  line vty 0 4
  authorization exec ap_exec
  login authentication ap_exec_login
  line vty 5 15
  authorization exec ap_exec
  login authentication ap_exec_login
  =============================
  The TACACS+ Accounting, Authorization and Authentication works great.

• How can I set up SSL login authentication on one domain for multiple domains

  Our site currently runs in 22 countries with 22 different
  country domains:
  www.mysite.com
  www.mysite.co.uk
  www.mysite.fr
  etc
  We want to use SSL on our login pages but realise that the
  cost of certification for every domain is expensive. One solution
  would be to channel all login activity to a single domain, eg:
  www.mysite.com/login.cfm?site=fr which would then redirect to
  www.mysite.fr – this is how Google do it
  But, currently we are using encrypted cookies for login
  authentication so we would have the problem of having to transfer
  the cookie info across domains securely. Is there any way of going
  about this?
  Any other suggestions would be great, too. We do plan to move
  to session management for logins but this is a longer term project
  so we are hoping to sort out the SSL prior to that.

  Can you not pass the values you need as URL parameters?
  Encrypt them befor you send them and then decrypt them on the new
  domain. Then add them to whatever place you need (cookie, session,
  etc.)?

• Tacacs Fallback and console login

  Hello,
  I am trying to create a tacacs config that will make sure that when you log onto the console you do not get tacacs and that we are on line login and local enable. If connectivity to the tacacs server is lost, the login for telnet defaults to the line password and uses the local enable password.
  My config:
  aaa authentication login default group tacacs+ line
  aaa authentication login CONSOLE line
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec default group tacacs+ if-authenticated
  aaa authorization exec CONSOLE none
  aaa authorization commands 1 default if-authenticated
  aaa authorization commands 15 default if-authenticated
  aaa authorization commands 1 CONSOLE none
  aaa authorization commands 15 CONSOLE none
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting connection default start-stop group tacacs+
  aaa accounting system default start-stop group tacacs+
  line con 0
  password xxxxx
  authorization exec CONSOLE
  login authentication CONSOLE
  end
  Thanks
  msteinhoff

  This is exactly what you need:
  aaa authentication login notac none
  aaa authentication login VTY group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization console
  aaa authorization config-commands
  aaa authorization exec default group tacacs+ group tacacs+
  aaa authorization exec notac none
  aaa authorization exec VTY group tacacs+ if-authenticated none
  aaa authorization commands 0 VTY group tacacs+ if-authenticated none
  aaa authorization commands 1 VTY group tacacs+ if-authenticated none
  aaa authorization commands 15 VTY group tacacs+ if-authenticated none
  aaa authorization network VTY group tacacs+ if-authenticated none
  aaa accounting exec TAC start-stop group tacacs+
  aaa accounting exec VTY start-stop group tacacs+
  aaa accounting commands 0 TAC start-stop group tacacs+
  aaa accounting commands 0 VTY start-stop group tacacs+
  aaa accounting commands 1 TAC start-stop group tacacs+
  aaa accounting commands 1 VTY start-stop group tacacs+
  aaa accounting commands 10 TAC start-stop group tacacs+
  aaa accounting commands 15 TAC start-stop group tacacs+
  aaa accounting commands 15 VTY start-stop group tacacs+
  aaa accounting network VTY start-stop group tacacs+
  aaa accounting connection TAC start-stop group tacacs+
  line con 0
  exec-timeout 0 0
  authorization exec notac
  accounting commands 0 VTY
  accounting commands 1 VTY
  accounting commands 15 VTY
  accounting exec VTY
  logging synchronous
  login authentication notac
  line vty 0 15
  exec-timeout 0 0
  authorization commands 0 VTY
  authorization commands 1 VTY
  authorization commands 15 VTY
  authorization exec VTY
  accounting commands 0 VTY
  accounting commands 1 VTY
  accounting commands 15 VTY
  accounting exec VTY
  login authentication VTY
  transport input ssh
  This will give very fine control on what user(s) can and can not do. I use this configuration with Freeware TACACS and it
  works wonder for me.
  Good luck.
  David
  CCIE Security

• AAA, Tacacs+ and ACS

  I'm trying to use ACS (v4.1) to authenticate admin to our Cisco switches and also restrict access to particluar commands for particular users, I've done a lot of research on this but can't find a complete doucment that goes through it step by step.
  What I have so far on the switch is
  enable secret 5 removed
  username admin privilege 15 password 7 removed
  aaa authentication login default group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec default group tacacs+ local if-authenticated
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  The local admin logins in perfectly fine when the switch is not connected to the network.
  When I connect the switch to the network and login using my AD credentials it works a treat.
  When I try an login with a local ACS accout for testing which has Max Privilege for any AAA Client Level 1, Tacacs+ Settings Shell(exec) is ticked as is Privilege level and that's set at 1 also it logins in fine but when I try to go into exec mode it fails with errors below
  % Error in authentication.
  .Oct 25 14:19:20.288: %SYS-5-PRIV_AUTH_FAIL: Authentication to privilege level 15 failed by test on console
  I don't want test to go into exec mode as level 15 I want it to go in as level 1 or some other level other than 15 so I can control what commands it has access to through ACS.
  I'm at a loss to know why this isn't work so any help would be much appreciated.
  Thanks
  Jon

  The problem you are facing and the error you're seeing on ACS "max session exceeded" seems 2 different issues. I read that you don't wana try this with Max privilege and privilege level set to 15. However, if you want to restrict user to few commands on any IOS, that can't be done like this.
  You need to have command authorization enabled on the switch and command set on the ACS > shell command authorization. This is pretty common feature that we use day in day out.
  Yo need to set privilege level to 15 because we are using exec authorization on the switch and then follow this document.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  You would see few examples of read-only access and read-write access.
  You may also let me know what all command you would like to allow for read-only access.
  Please feel free to let me know if you need any further assistance.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• AAA config for PIX

  Hello folks!!!
  In my PIX 515E I hv configured AAA configuration(tacacs+) & hv also configured serial console authentication as "local" & telnet console authentication from tacacs+ server.Apart from this I hv also configured authorization as "tacacs+" server.Now if AAA server is not available Iam able to go in to user mode with the "enable pwd" set in PIX but if I try to go into enable mode it gives error msg "AAA command authorization failed" since it looks for AAA server for authorization & that is not available.Is there a way by which I can overcome this by configuring "local" authorization as a fallback incase the AAA server is not available
  Cheers
  SS

  You can add a command like this
  aaa authentication login default tacacs local
  aaa authentication login CONSOLE local
  So if Tacacs fail local will take over.
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080093c81.shtml#login_auth

• Use Tacacs+ for Admin auth & Radius for user Auth?

  Can I setup my Aironet 1200 to use TACACS+ for authentication back to the cisco ACS server and RADIUS back to same server for user authentication?
  If I setup a server in Server Manager under Radius, then add that same server as a TACACS+ server, it deletes the RADIUS server, so I assume no.

  dont know about 1200s but you can do this on 1130AGs. Create a aaa group for authentication via radius, and one for tacacs+ then use aaa groups to point console/vty to the tacacs+ aaa group, and EAP authentication to the radius group.
  eg:
  aaa group server radius rad-group
  server x.x.x.x auth-port xxxx acct-port xxxx
  aaa group server tacacs+ admin-access
  server x.x.x.x
  aaa authentication login eap-method group rad-group
  aaa authentication login auth-admin-access group admin-access local
  aaa authorization exec default group admin-access local
  now under the ssid part of the config have:
  dot11 ssid yyyyyy
  authentication open (or whatever method you use) eap eap-method
  under console/vty etc:
  login authentication auth-admin-access
  you need some more stuff like radius and tacacs server keys, but the above should get you started. On 1130AGs dont use aaa auth for http(s), looks like it overloads the aaa server at the moment - see field notices - probably doesnt apply to 1200s.

• Radius server for 802.1x port authentication

  Does anybody know if CiscoSecure for Unix version 2.3.6.2 can be used as a Radius server for 802.1x port authentication? I know the Windows version will do this and can be configured to assign a user to a specific VLAN, but can the UNIX software do the same?
  Thanks

  Check connectivity between the PIX and the server.
  If the server is outside the PIX, verify that it is specified in the (if_name) parameter of the aaa-server command. In the example below, the (if_name) parameter represents outside.
  aaa-server group_tag (if_name) host server_ip key timeout 5
  If you are using TACACS+, verify that the PIX and server are communicating on the same port (Transmission Control Protocol (TCP)/49).
  If you are using RADIUS, verify that the PIX and server are communicating on User Datagram Protocol (UDP) port 1645. Or, if the RADIUS server is using port 1812, verify that the PIX is using software version 6.0 or later, and then issue the aaa-server radius-authport 1812 command to specify port 1812.
  Ensure that the secret key is correct.
  Check the server logs for failed attempts. All servers have some kind of logging function.

• ACS with RSA for privilege level 'enable' authentication

  Has anyone experienced problems with privilege level "Enable" password authentication via ACS using RSA two factor authentication? We have recently deployed ACS and use RSA two factor authentication for the telnet connection without any problems. When configuring the networking device and ACS to use RSA for the privelledge level authentication "enable" this fails. We get prompted to enter the token code and the RSA server indicates that authentication is succesful however the network device (ASA or switch) seems to reject it.
  Are there any tricks to this?
  Thanks in advance!

  David
  Like Collin the first thing that I think of is that you can not use the same token code to authenticate enable mode that was used to authenticate user mode. Beyond that I am not aware of things that should prevent this working. Are you sure that the ACS authentication server is configured to allow that user access to privilege mode?
  Perhaps it would be helpful if you would post the config (especially all the aaa related parts) of a device that is having that problem. And it might help find the issue if you would run debug for authentication, try to login to enable mode, and post the output.
  HTH
  Rick

• ACS 5.1.0.44 GUI login failed!!

  Dear guys,
  I'm trying to setup Cisco ACS (5.1.0.44) in VMware work station for a  testing/study purpose. Installation went fine. I can login through SSH,  but GUI login failed with the same credential. Please find the attached  images.
  Any help will be highly appreciated!!
  login as: admin
  Using keyboard-interactive authentication.
  Password:
  Last login: Tue Oct 30 17:31:24 2012
  ACS-LAB/admin# show running-config
  Generating configuration...
  hostname ACS-LAB
  ip domain-name testlab
  interface GigabitEthernet 0
    ip address 10.10.10.50 255.255.255.0
  ip name-server 8.8.8.8
  ip default-gateway 10.10.10.254
  clock timezone UTC
  username admin password hash $1$HRi10i.R$LHqyKJWVqDxfrcmaWGPOM1 role admin
  service sshd
  password-policy
    lower-case-required
    upper-case-required
    digit-required
    no-username
    disable-cisco-passwords
    min-password-length 6
  logging localhost
  logging loglevel 6
  cdp timer 60
  cdp holdtime 180
  cdp run GigabitEthernet 0
  icmp echo on
  ACS-LAB/admin#
  Thanks.

  Hi there,
  The first time you access the ACS GUI you need to use the default credentials:
  Username: acsadmin
  Password: default
  After this the server will ask you to change the password. Please give it a try and let me know how it goes.