ACS AAA and LOCAL AAA database...
Hello,
We have implimented an 5520 device and configured it for ACS successfully. I want to also have a local database with a few accounts in the event our ACS server went down. I am having trouble finding documentation for the syntax I need to enter on this 5520 device configuration so I can have redundacy for AAA...can some help with this? TIA, Gary
Hi ,
Check this example
aaa-server SERVER protocol tacacs+
aaa-server SERVER host 1.1.1.1
key $har3dK3y
This command applies the server group to the vty or
console lines:
==========
aaa authentication ssh console SERVER LOCAL <---
For SSH sessions
aaa authentication serial console SERVER LOCAL
<--- For console access
Hope that helps
Regards,
JG~
Please rate helpful posts
Similar Messages
-
Nexus 7000 aaa and local authentication
Hello,
I tried to configure aaa (with radius) and local user authentication on a Nexus 7004 (Version 6.2(6a)), but did not get it to work.
Radius authentication is working fine(!), but I can't Login with a local created user (role vdc-Operator).
Any help is highly appreciated.
Kind regards,
AndreasHi,
yes, I know that the fallback will jump in when no radius-Server responds, but I need the behaviour like the 6500'er (or 4500) act.(btw. local login works if radius is disabled, or local is the default, but if local is the default, radius Login no longer works) - Only one of the method at a time works.
On the 6500 I configured aaa with Windows NPS-Server and a local user (e.g. for the Cisco-LMS). This works fine. Even if the radius server is available, i can log into the device (via ssh) with the locally defined user-account.
What I miss is a kind of the command:
"aaa authentication login default local group radius"
"aaa authentication enable default enable"
(which works on the WS-C6509 or WS-C4500X).
Is there any chance to get this work on the Nexus7000?
Kind regards,
Andreas -
AAA and local user authentication
Hi,
I already have AAA authentication setup on my switch. And I can use local users to login when the AAA server is unreachable.
But I want to know if it is possible to use local users even when the AAA server is reachable. Something like first it checks the local users databse and if the user does not exists then fallback to AAA or vice versa.
Thanks.Ismail, the authentication method you define act as a service. So only when the service is not avilable the method fallback to the next methond you define.
So in your case if the user account is not present in the local data base it will not fallback to aaa server.
aaa authentication login default local group radius
The same holds true if the user account is not there in the aaa server
aaa authentication login default group radius local
Only when the aaa server is not responding (service downe or not reachable) it will fallback to the local database.
Hope this helps! -
Hi All,
Where do I configure primary AAA and secondary AAA at ISE?
According to deployments guide Fig 1-6. Dispersed Deployment
http://www.cisco.com/en/US/docs/security/ise/1.0/install_guide/ise10_deploy.pdf
If we are using AD.. then AAA solution is RODC?
Thanks,
JohnHello,
Yes you can also use Cisco Catalyst 3560 to configure AAA and RADIUS. You can configure MAB, DOt1X and CWA.
Please refer to below link which might help you.
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/sw8021x.html -
PIX 525 aaa authentication with both tacacs and local
Hi,
I have configured the aaa authentication for the PIX with tacacs protocol (ACS Server).
It works fine, now i would like to add the back up authentication, as follows:
- If the ACS goes down i can to be authenticated with the local database.
Is it possible with PIX, if yes how?Hi,
I am trying to configure aaa using TACACS+ , i am not able to close.Problems are
1.It dosent ask for username /password in first level.
2.on second level it asks for user name it dosent authenticate the user .
Cud u pls let me know if the following config is correct.If not cud u help me .
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (outside) host ip.ip.ip.ip key timeout 15
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+
aaa authentication include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+
aaa authen enable console TACACS+ -
FWSM: AAA authentication using TACACS and local authorization
Hi All,
In our setup, we are are having FWSMs running version 3.2.22 and users are authenticating using TACACS (running cisco ACS). We would like to give restricted access ( some show commands ) to couple of users to all devices. We do not want to use TACACS for command authorization.
We have created users on TACACS and not allowed "enable" access to them. I have also given those show commands locally on the firewall with privilege level 1. and enabled aaa authorization LOCAL
Now , those users can successfully login to devices and execute those show commands from priv level 1 except "sh access-list". I have specifically mentioned this
"privilege show level 1 mode exec command access-list" in the config.
Is there anything i am missing or is there any other way of doing it?
Thanks.You cannot do what you are trying to do. For (default login you need to use the first policy matched.
you can diversify telnet/ssh with http by creating different aaa groups.
But still you will be loging in for telnet users (all of them) using one method.
I hope it is clear.
PK -
AnyConnect and IKEv2 with IOS Local AAA
Hi,
Is it possible to utilise AnyConnect IKEv2 (terminating on an ASR1k) with the IOS Local AAA feature authenticate remote access using EAP-MD5, or is an external RADIUS server required to support user authentication? I was hoping to develop a standalone proof-of-concept using IOS Local AAA (with aaa attribute lists where appropriate) to store RADIUS 'User' and 'Group' profiles. However, I suspect I can only store the 'Group' profiles locally, and the user authentication requires an external RADIUS server supporting EAP-MD5 to support the tunnel method?
Cheers,
MattYour NAT is nearly correct. There are just two small things:
1) What do you want to achive with this rule and the corresponding ACL? "permit ip any any" on the outside interface is probably a bad idea. Better to configure the needed ports directly with object NAT and specific ACL-lines.
nat (inside,outside) source static WAN interface
2) The NAT-exemtion is nearly fine. This NAT-rule is typically configured with two more parameters:
nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE no-proxy-arp route-lookup -
Same user in tacacs and local database with different privilege
Hi there,
i am just not sure if this is correct behavior.
i am running NX-OS image n5000-uk9.5.1.3.N1.1.bin on the nexus 5020 platform.
i have configured authorization with tacacs+ on ACS server version 5.2 with fall back to switch local database.
aaa authentication login default group ACS
aaa authorization commands default group ACS local
aaa accounting default group ACS
a user test with priv 15 is craeted on ACS server, password test2
everything works fine, until i create the same username on the local database with privilege 0. ( it doesnt matter if the user in local database was created before user in ACS or after )
e.g.:
username test password test1 role priv-0 (note passwords are different for users in both databases)
after i create the same user in local database with privilege 0,
if i try to connect to the switch with this username test and password defined on ACS, i get only privilege 0 authorization, regardless, that ACS server is up and it should be primary way to authenticate and authorizate the user.
is this normal?
thank you for help...Hello.
Privileges are used with traditional IOS. Privileges are part of "command authorization". Other operating systems (like IOS-XR, Nexus OS , Juniper JunOS) use "role-based authorization" instead of "command authorization".
So traditional IOS can use the "privilege" attribute but other operating systems can not.
Although IOS-XR, Nexus, ACE, Juniper have "roled-based authorization" feature, every single one of them use their particular attributes.
When I was configuring TACACS with ACE, Juniper and other devices I had to capture the packets to find out what were the particular attributes of ACE, what were the particular attributes of JunOS, etc, etc and to search deeply some hints the documentation , because sadly documentation is not very good when talking about TACACS details.
If you find which attributes to use, and what values to assign to the attributes then you can go to ACS and configure a "Shell Profile".
Now back to Nexus 5000. It seems this particular device has the option to mix "role-based" with "command authorization" by overriding the default roles with other roles which names are called "priv". It seems this was an effort to try to map the old concept of "privileges" to the new concept of "roles". Although you see the word "priv", it's just the name of the role. My particular point of view is that this complicates the whole thing. I would recommend to use just the default roles, or customize some of them (only if needed), but not to use "command authorization".
http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/security/502_n1_1/Cisco_n5k_security_config_gd_rel_502_n1_1_chapter5.html
I will search the particular attributes Nexus use to talk to TACACS server. If I got them I will post them here.
Please rate if it helps -
WLC Flexconnect with AAA and MAC authentication
hi,
i am having cisco WLC with 7.4.121 version and i am having remote side access points to be connected to this controller and remote access point will have different vlan on the remote side itself.
my question is i am having Radius authentication for the clients who are all connecting from all the access points and MAC filtering also.
My radius server is placed in the HQ where we have WLC. which method of flexconnect switchign will give be both AAA and MAc filter options to be working.
one more question,
is it possible to make each AP seperate MAC filters On the WLC.
thanks
cyrilIf you are planning on doing machine authentication i.e authentication of machine with username password by the AAA server at then this is possible using flexconnect local switching enabled provided you have your AAA server accessible via the local VLAN at the remote site.
In case you are planning on doing mac-filtering using WLC and username/password authentication using AAA server then this cannot be achieved when you enable Flexconnect local switching as you do not get an option to configure the mac-filtering on Flex-connect groups.Hence you would need to use central authentication.
Actually the best option for you is that you either deploy a local site AAA server and do both the authentications via your radius server or use Central authentication with Flexconnect APs incase this is not feasible.
Hope this clears you doubts!!!
Note: Please do not forget to rate and accept as solution incase the post is valid. -
ACS 4.2.0 AAA-server-IP-address changing to 169.254.x.x
Hello,
I have ACS 4.2.0.124.15 installed on a windows server 2008.
In the configuration menu : network config > AAA server , the AAA-server-IP-address change to 169.254.x.x each time I disconnect the ethernet interface of the server.
Allthough, the ip adresse in my network connection of the windows-Lan-connection is set to static.
Whe I reconnect the ethernet interface of the server, it stays in 169.154.x.x. And I need to reconfigure the real static adresse each time.
Do you knows this problem. Is it a way to avoid it ?
Michel MisonneHello,I have ACS 4.2.0.124.15 installed on a windows server 2008.In
the configuration menu : network config > AAA server , the
AAA-server-IP-address change to 169.254.x.x each time I disconnect the
ethernet interface of the server.Allthough, the ip adresse in my network connection of the windows-Lan-connection is set to static.Whe
I reconnect the ethernet interface of the server, it stays in
169.154.x.x. And I need to reconfigure the real static adresse each
time.Do you knows this problem. Is it a way to avoid it ?Michel Misonne
Hi Michel,
It was issue in ACS 1113 SE Appliance and clear solution for the above is mentioned in the below link
http://www.ciscosystems.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a00808d9199.shtml#stat
HTH
Ganesh.H -
AAA and 3560 Switch + CNA
Hi
Has anyone got this to work?
CNA. (Cisco Networks Assistants) and AAA (Tacacs+) on a 3560 switch.
I cant get the CNA to work in this setup but it works fine on together with 3500XL and 3550 serie switch. With the same parameter.
this is the aaa conf.
aaa authentication login default group tacacs+ local
aaa authentication login no_tacacs enable
aaa authentication enable default enable group tacacs+ none
aaa authorization exec default group tacacs+ local
aaa authorization exec no_tacacs none
aaa authorization commands 15 default group tacacs+ if-authenticated local
aaa authorization commands 15 no_tacacs none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
ip http server
ip http authentication aaaHi
No. I get the prompt for username and password.
and hit enter. Then nothing happens. It looks like it's trying to build the network but it never get fines. I know it works without the aaa statement. But I cant live with that. -
Hello All,
I want to download a free, yet reliable AAA and TACACS servers, can you guide me? Also, I need help with configuring them for study purpose.You may download the eval version ACS 4.2.0.124, if you've access to cisco.com
ACS v4.2.0.124 90-Days Evaluation Software
eval-ACS-4.2.0.124-SW.zip
http://tools.cisco.com/squish/9B37e
Path:
Cisco.com > Downloads Home > Products > Cloud and Systems Management > Security and Identity Management
> Cisco Secure Access Control Server Products > Cisco Secure Access Control Server for Windows > Cisco Secure ACS 4.2 for Windows > Secure Access Control Server (ACS) for Windows-4.2.0.124
~BR
Jatin Katyal
**Do rate helpful posts** -
AAA confusion - local username access
Hey all,
I am a little confused.
I have the following commands on my device:
username blah privilege 15 secret 5 blah!@#$%%
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default stop-only group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
Everything works fine.
However when I bring down the TACACS server I am able to login into the device with the local username but it fails when I enter the enable command. How can I have access when in case of emergency that TACACS fails? I have researched online and have tried multiple commands. Is there anything I am missing? I do have an enable secret password configured as well. But don't even get a chance to enter. when entering "en" at > prompt:
% Authentication failed.
Thanks in advance for your help.
My testing has led to frustration.Hi Geo,
First please give the fall back method for command 0.
aaa authorization commands 0 default group tacacs+
add local
aaa authorization commands 0 default group tacacs+ local
Make sure you are putting in right enable password, try to reset it and give it a shot.
If issue is there then get the output of debug tacacs and debug aaa authentication
Regards,
~JG
Do rate helpful posts -
I want to be able to set up
read only access to one of our cisco routers while letting the other users still be able to get into enable and config mode.
My current config ( without the read only access user) is as follows
aaa new-model
aaa authentication login default local-case
aaa authentication login NO_AUTHENT none
aaa authorization exec default local
username x password y
Thank you.Hi,
I tried that on a test router logging into the console port and I could not log in with a privilege level of 1. I could log in with a privilege level of 3. However, it let me make changes to the router in config mode. My goal is to allow the account to run show commands on the router and have read only access.
Thoughts? -
AAA and TACACS on everything BUT NOT console
Would like to enable login authentication AND enable authentication on VTY but NOT console. Console should authenticate locally for both user and privilige modes ... I can't seem to seperate the 'enable' piece ... any thoughts?
I do not think you can separate method list for
the enable piece. I've asked Cisco about this
in the past and they told me that it is not
possible. You can have a different method list
for the console for the "exec" mode but not
the enable or privilege mode. It is either
"tacacs" or "enable" or some other
combinations but not a separate method list for "enable" by itself. Maybe cisco added
this new feature in 12.4. I've my my testing
on both 12.2T and 12.3T and, IMHO, it is not
possible to separate the enable piece. Here
is my config:
username cisco password cisco
enable secret cisco
aaa authentication login notac local
aaa authentication login VTY group tacacs+ local
aaa authentication login web local enable
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec notac none
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
aaa accounting exec TAC start-stop group tacacs+
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 0 TAC start-stop group tacacs+
aaa accounting commands 0 VTY start-stop group tacacs+
aaa accounting commands 1 TAC start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 10 TAC start-stop group tacacs+
aaa accounting commands 15 TAC start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting network VTY start-stop group tacacs+
aaa accounting connection TAC start-stop group tacacs+
aaa session-id common
line con 0
exec-timeout 0 0
authorization exec notac
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
logging synchronous
login authentication notac
line vty 0 15
exec-timeout 0 0
authorization commands 0 VTY
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication VTY
Maybe you are looking for
-
Unable to fetch data in embedded Xcelsius PDF file on disconnected system
I have an Xcelsius 2008 document with QaaWS. I am able to export it to the PDF and fetch data using QaaWS. I would like to know, it is possible for the embedded Xcelsius file in PDF to fetch data when the PDF file is sent to customers outside the net
-
Wait Time / Timeout Time in waiting events
Hi, From manual, I came to know that some of waiting events having wait time or time out duration. I have not understood, what happens if it has reached timeout. What happens next ? ( Will you explain in more detail ). It saysl it will renew wait eve
-
I would like to listen to my music without having to go back to my computer once in a while and touch the option "play" again. If I just let it go, even if I choose the option REPEAT, the music will stop. I know it may have something to do with th
-
Import Catalog from Lightroom 4 to Lightroom 5
Hi, I have just bought Lightroom 5 to replace my Lightroom 4. For one reason or another, it was cheaper for me to buy a new version, rather than an upgrade. What is the best way to get Lightroom 5 to use my Catalogue from Lightroom 4? I am thinking,
-
MDM 7.1 not able to open in MDS console
Hello, From MDM console, i'm trying to have DBMS Setting of Oracle 10.2.0.4, but it is giving me error as Database not connected, when i checked in logs file, it is giving me "Oracle Initialization Failed -- likely missing libraries/dlls". "ERROR COD