ACS shell profile to only allow VPN authentication from TACACS+

I'm currently rebuilding all of my VPN profiles after it was found that we were using TACACS+ for authentication to the VPNs, that would also allow users to SSH all of the network infrastructure. The new profiles will be radius based and will take some time to get them to the users.
In the meantime I'm looking to create a new shell profile for the VPN users that will only allow them to authenticate to the VPN and not gain access to the CLI of the infrastructure.
Thanks

Hi,
i tested this with Cisco ACS 5.5 with TACACS for VPN tunnel it doesn't work.
It gives you an error which is stated that service protocol used is for device administration.
So it doesn't all VPN authentication to work. but for radius this works properly.
Thanks & Regards,
Nitesh

Similar Messages

K230 only allows a boot from A-drive

I just bought a Lenovo K230 with Vista x64. Sometimes when I boot up it only allows me to boot from the A-drive (diskette). It doesn't even have an A-drive. I went into the setup menu and disabled the diskette drive. I even disabled the removable media in the boot sequence, but I still get a screen at boot up telling me to insert a diskette into drive "A" and hit enter. Help.

stsaf welcome to the forums,
Do you get any other messages other than the A drive thing?like checksum errors?I faced this earlier and the cmos battery wasnt functioning properly
Cheers and regards,
• » νιנαｿѕαяα∂нι ѕαмανє∂αм ™ « •
●๋•کáŕádhí'ک díáŕý ツ
I am a volunteer here. I don't work for Lenovo

Allowing VPN access from Guest

I have applied an access list to my guest vlan to have internet access only. This process is working fine. Now i would like to allow users (corporate) who are on the Guest vlan to VPN to my internal network. Please advise.
I am running this on 4506 SupIV
access-list 100 permit udp any eq bootpc host 255.255.255.255 eq bootps
access-list 100 permit ip any host 24.234.0.71
access-list 100 permit tcp any any eq 443
access-list 100 deny ip 192.168.190.0 0.0.0.255 host 192.168.53.5
access-list 100 deny ip 192.168.190.0 0.0.0.255 host 192.168.1.2
access-list 100 permit tcp any any eq www
access-list 100 deny ip 192.168.190.0 0.0.0.255 192.0.0.0 0.255.255.255
access-list 100 deny ip any any

to permit ipsec vpn, you need to open:
udp 500
udp 4500
ip 50 (i.e. esp)

Anyconnect VPN-Authentication multiple profiles via ACS

Hi,
I'm currently facing the issue, that I need to migrate a customer VPN-structure from VPN-client to the new Anyconnect.
There is an ASA5515 and they have ACS with local users and AD-Integration.
The problem: The old system used different profiles with PSK, so every external partner who had a VPN connection got it's own profile, which was secured by the IKEv1 PSK. The credentials for externals are saved locally on ACS. Also there is a profile for the normal employees, which authenticate via AD or RSA. The guys who implemented this did it the easy way, means when a user connects, the whole user-table is checked (AD, local, RSA). So if an external would have the .pcf from an internal user, it would be possible for him to connect to internal resources. There was no profile-to-usergroup binding.
I should now implement a new ASA with Anyconnect and also keep up the different profiles. But in this case the problem is - there is no PSK any more. So if a smart guy changes the group in his XML-profile to e.g. "Internal", it would authenticate and grant access to all resources, since the internal pool isn't restricted by ACL's, but the externals are.
I'm looking for a guide, how to set up different policies on the ACS, which look up the user only in the one group, depending on the profile he connected. As far as I understand, I must somehow define already on the FW which group or policy it should look up. How can I achieve this?
What do I need e.g. for 10 different profiles?
- 10 groups on ACS?
- 1 Access-Policy? (Network Access) -> with 10 different Authorization Policy rules?
- Anything else?
Where do I define the policy to use in Anyconnect?
Thanks in advance!
BR

I've done a similar deployment where all authentication/authorization and accounting was pointed from ASA to ACS.
There are multiple layers to your question.
First of all, you have ACS, hopefully 5.x which gives you a nice policy driven authentication and authorization schema.
1st layer - setup group-alias and group-urls for specific users on ASA.
2nd layer - on ACS decides where those connection should be authenticated/authorized against (go to AD, RSA, local DB). ASA passess tunnel group name in authentication calls to ACS.
3rd layer - group-lock feature ensures that user can only have access to resources if they are in a specific group.

Shell profile without a Command Set in ACS 5.1 - TACACS

Hi all,
I have created a shell profile with a default Privilege level of 15, I am able to successfully call this via an Access Service Rule. The issue I have however is that depite having the # symbol after I log in, the switch will only allow me to perform priv 15 level commands if I also bind an 'Allow All' command set to the results in the access service rule.
Is this how it should work or should the shell profile alone with the priv 15 setting be enough? Am I missing something?
The reason I ask is that in ACS 4.2 I would just set the tick Shell (exec) and set the Priv level to 15 in the appropriate group and would be good.
Thanks in advance
Rhodri

FYI
The issue here was the use of the 'aaa authorization commands' command.
If I don't use these commands, then I only need the shell profile as no command authorization takes place post authentication.
If using these commands, then you must also bind a command set to the results of the rule as the NAD will query the AAA server for each command.
If I want to permit all commands for a certain priv level, I use a 'permit all commands' command set which will then allow all commands within a specific priv level.
Here's an example NAD config:
aaa group server tacacs+
server 10.10.10.10
aaa authentication login default local
aaa authentication login Primary group local
aaa authentication login Secondary local
aaa authorization config-commands
aaa authorization exec default group if-authenticated
aaa authorization commands 0 default group if-authenticated
aaa authorization commands 1 default group if-authenticated
aaa authorization commands 3 default group if-authenticated
aaa authorization commands 15 default group if-authenticated
aaa accounting exec default start-stop group
aaa accounting commands 0 default start-stop group
aaa accounting commands 1 default start-stop group
aaa accounting commands 3 default start-stop group
aaa accounting commands 15 default start-stop group
line con 0
login authentication Secondary
line vty 0 4
login authentication Primary
Hope this helps someone

Traffic only allowed one-way for VPN connected computers

Hello,
I currently have an ASA 5505. I have set it up as a remote access SSL VPN. My computers can connect to the VPN just fine. They just can't access the internal LAN (192.168.250.0). They can't ping the inside interface of the ASA, or any of the machines. It seems like all traffic is blocked for them. The strange thing is that when someone is connected to the VPN, I can ping that VPN-connect machine from the ASA and other machines inside the LAN. It seems the traffic only allows one way. I have messed with ACL's with no avail. Any suggestions please?
DHCP Pool: 192.168.250.20-50 --> For LAN
VPN Pool: 192.168.250.100 and 192.168.250.101
Outside interface grabs DHCP from modem
Inside interface: 192.168.1.1
Current Running Config:
: Saved
ASA Version 8.2(5)
hostname HardmanASA
enable password ###### encrypted
passwd ####### encrypted
names
interface Ethernet0/0
switchport access vlan 20
interface Ethernet0/1
switchport access vlan 10
interface Ethernet0/2
switchport access vlan 10
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
switchport access vlan 10
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan10
nameif inside
security-level 100
ip address 192.168.250.1 255.255.255.0
interface Vlan20
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool 192.168.250.100-192.168.250.101 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 192.168.250.0 255.255.255.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.250.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.250.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns 8.8.8.8
dhcpd address 192.168.250.20-192.168.250.50 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool VPN_Pool
tunnel-group AnyConnect webvpn-attributes
group-alias AnyConnect enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:30fadff4b400e42e73e17167828e046f
: end

Hello,
I seem to be having the same kind of issue although I cannot ping from either end.
Ive set up a l2tp/ipsec vpn which I am able to connect to and get ip from my ip pool (radius authentication is working).
I tried running:
access-list NAT_0 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list NAT_0
but i get an error msg saying that the syntax of the nat command is deprecated. Im running ASA version 8.4.
Ive fiddled around abit to find the correct syntax but have been unsuccessfull so far.
Any help would be much appreciated
This is a part of my config:
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network AD1
host 192.168.1.31
description AD/RADIUS
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network vpn_hosts
subnet 192.168.2.0 255.255.255.0
access-list AD_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list split-acl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0
access-list inside_0_outbound extended permit ip object NETWORK_OBJ_192.168.1.0_24 object vpn_hosts
ip local pool POOL2 192.168.2.2-192.168.2.10 mask 255.255.255.0
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.1.0_25 NETWORK_OBJ_192.168.1.0_25 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.1.0_25 NETWORK_OBJ_192.168.1.0_25 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static vpn_hosts vpn_hosts
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ########## 1
no vpn-addr-assign aaa
no vpn-addr-assign dhcp

AAA Authorization with ACS Shell-Sets

Hi all,
I am using a cisco 871 router running Version 12.4(11)T advanced IP Services.
I am having trouble getting AAA Authorization to work correctly with ACS.
I am able to set the users up on ACS fine and assign them shell and priv level 7.
I then setup a Shell Auth Set, and enter in the commands show and configure.
When I log in as a user, I get an exec with a priv level of 7 no problems, but I never seem to be able
to access global config mode by typing in conf (or configure) terminal or t.
If I type con? the only command there is connect, configure is never an option...
The only way I can get this to work is by entering the command:
privilege exec level 7 configure terminal
I thought the whole purpose of the ACS Shell Set was to provide this information to the Router?
This is most frustrating
The ACS Server is set up with a Shell Command Authorization Set named Level_7
It is assigned to the relevant groups and I even have the "Unmatched Commands" option selected to "Permit"
The "Permit Unmatched Args" is also selected.
See an excerpt of my IOS config below:
aaa new-model
aaa group server tacacs+ ACS
server 10.90.0.11
aaa authentication login default group ACS local
aaa authorization exec default group ACS
aaa authorization commands 7 default group ACS local
tacacs-server host 10.90.0.11 key cisco
privilege exec level 7 configure terminal
privilege exec level 7 configure
privilege exec level 7 show running-config
privilege exec level 7 show
Hope you can help me with this one..
P.s I have tried it with the privilege commands on the router and removed from the router and just keep getting the same results!?

Hi,
So here it is,
You are actually using two different options and trying to couple then together. What I would suggest you is either use Shell command authorization set feature or play with privilege level. Not both mixed together.
Above scenario might work, if you move commands to privilege level 6 and give user privilege level 7. It might not sure. Give it a try and share the result.
This is what I suggest the commands back to normal level.
Below provided are steps to configure shell command authorization:
Follow the following steps over the router:
!--- is the desired username
!--- is the desired password
!--- we create a local username and password
!--- in case we are not able to get authenticated via
!--- our tacacs+ server. To provide a back door.
username password privilege 15
!--- To apply aaa model over the router
aaa new-model
!--- Following command is to specify our ACS
!--- server location, where is the
!--- ip-address of the ACS server. And
!--- is the key that should be same over the ACS and the router.
tacacs-server host key
!--- To get users authentication via ACS, when they try to log-in
!--- If our router is unable to contact to ACS, then we will use
!--- our local username & password that we created above. This
!--- prevents us from locking out.
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
!--- Following commands are for accounting the user's activity,
!--- when user is logged into the device.
aaa accounting exec default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Configuration on ACS
[1] Goto 'Shared Profile Components' -> 'Shell Command Authorization Sets' -> 'Add'
Provide any name to the set.
provide the sufficent description (if required)
(a) For Full Access administrative set.
In Unmatched Commands, select 'Permit'
(b) For Limited Access set.
In Unmatched commands, select 'Deny'.
And in the box above 'Add Command' box type in the main command, and in box below 'Permit unmatched Args'. Provide with the sub command allow.
For example: If we want user to be only able to access the following commads:
login
logout
exit
enable
disable
show
Then the configuration should be:
------------------------Permit unmatched Args--
login permit
logout permit
exit permit
enable permit
disable permit
configure permit terminal
interface permit ethernet
permit 0
show permit running-config
in above example, user will be allowed to run only above commands. If user tries to execute 'interface ethernet 1', user will get 'Command authorization failed'.
[2] Press 'Submit'.
[3] Goto the group on which we want to apply these command authorization set. Select 'Edit Settings'.
(cont...)

ACS shell command authorization help

Hello,
I wanted to only allow users to use interface command. But when I permit config terminal in ACS shell command set, all the commands are allowed. How can I limited the users to only have the permission for interfacce command?
Thanks

Two things could be wrong
1) You don't have the following command on your AAA Client:
aaa authorization config-commands
2) You have clicked the 'Unmatched Commands' = Permit radio option in ACS, have a look at:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
Regards
Farrukh

Run only allowed application gpo and ie 11 on remote desktop server (terminal server)

I configured win 2008 R2 server as Remote desktop server (terminal server) and I have domain GPO that's applying to this server. when I configure "Run only specified Windows application" IE 11 does not work.
I have iexplore.exe as allowed application.
when new user profile is created it setup and user can open other listed application fine but soon as IE 11 launched the IE windows loads up and after about 15-20 seconds it closes.
if I remove the "Run only specified Windows application" policy then everything works fine.
I am trying to figure out if any other .exe I have to allow in order for this to work properly?
nothing in event viewer about ie crashing.

> "Run only specified Windows application"
Don't use this setting... This only restricts explorer.exe from
launching applications. If you manage to create a cmd file or open a
command prompt, this policy is useless.
Better switch to AppLocker :)
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))

Configuring PPP options for only one VPN connection

How do you configure PPP options for only one VPN connection that is using L2TP over IPSec? The built-in VPN client in 10.4.9 is failing authentication because it won't talk MSCHAP-V2 (this is the only authentication protocol I can use) with the server. I am able to establish a connection if I add the following to /etc/ppp/options:
refuse-eap
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
However, these options will affect all PPP connections. The preference file that contains the network configurations (/Library/Preferences/SystemConfiguration/preferences.plist) also contains PPP options for each specific network service. After some searching around, I found that there are several keys that seem promising (MSCHAP2, etc.). But these keys take a string value and I have no clue what they should be. These keys are defined in SCSchemaDefinitions.h file.
Any ideas?
Mac OS X (10.4.9)

Hi Brian,
I just tried to check all of ADDT´s "includes" files for any internal references (read: "require" or "require_once" statements) to the file "tNG_config.inc.php". So far I can only see this file referenced in the file "tNG.inc.php" (within the "$KT_tNG_uploadFileList1" array).
So what could this mean ? Maybe you´ll have to make copies of the the original "tNG.inc.php" as well and save them as, say, "tNG.inc_ital.php" file plus make sure that these copies internally point to a different "tNG_config_ital.inc.php" file -- because it´s always the first mentioned file which gets referenced from e.g. an ADDT login page (see the "Load the tNG classes" - part)
I want to use ADDT’s User Registration Wizard and I have looked at all the neat stuff in the Control Panel/Login Settings
The Control Panel will always update the main "tNG_config.inc.php" file, so any further modifications will have to become manually applied to the custom files you´re creating.
Cheers,
Günter

'Allow insecure authentication' selection not saving in mac mail

I have just installed OS X Yosemite
Several of my IMAP email accounts in mail would not connect unless I select 'allow insecure authentication'.
Having made the selection, and saved, the setting reverts to unchecked.
How can I ensure that the selection remains saved?

I also have unsecure IMAP accounts (I have four email addresses) and when I upgraded I saw the Allow insecure authentication so checked it and then found it reverted so I checked it again and also unchecked the 'Automatically detect and maintain account settings'.
I then had a problem where the SMTP server keep dropping its connection and the only way to get it back was to delete the SMTP definition and recreate it.
After spending several hours trying to get it working and talking to the email hosting support (FASTHOSTS in the UK) I gave up and restored to Maverick.
Anybody out there using Fasthosts, multiple email accounts and has this working? Or even not using FASTHOSTS and has this working.
Anybody upgraded with multiple email addresses (same domain) and using SSL got this working?
Not sure if I should talk to Apple support but that costs £35 and I needed to move on so restore was faster.
thanks in advance for any help out there

ACS 5.0 and remote access VPN

I have problem for authenticar a remote access VPN with ACS 5.0, not work.
When I try with ACS 4.1, the authentication work fine.
I hope someone can help me.
Regards.

I have the same problem. I'm using ASA v8.21 and ACS v5.0.0.21, which I'm using as tacacs and radius server. I have no problem with accessing devices via tacacs (except that changing pass with first login doesn't work). The problem is with VPN authentication. I tested radius with Radlogin and PAP is working fine, CHAP goes in timeout, but as I know ACS 5.0 doesn't suport CHAP.
Here are some logs from ASA:
the end of debug crypto isakmp:
Sep 04 15:01:35 [IKEv1]: Group = radiusACS, Username = user1, IP = X.X.X.X, Error: Unable to remove PeerTblEntry
Sep 04 15:01:35 [IKEv1 DEBUG]: Deleting active auth handle during SA deletion: handle = 1844
debug radius:
Sep 04 2010 15:08:53: %ASA-7-713906: IP = X.X.X.X, Connection landed on tunnel_group radiusACS
Sep 04 2010 15:08:53: %ASA-6-713172: Group = radiusACS, IP = X.X.X.X, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, IP = X.X.X.X, constructing blank hash payload
Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, IP = X.X.X.X, constructing qm hash payload
Sep 04 2010 15:08:53: %ASA-7-713236: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=f9163eb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
Sep 04 2010 15:08:53: %ASA-7-713236: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=f9163eb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 86
Sep 04 2010 15:08:53: %ASA-7-715001: Group = radiusACS, IP = X.X.X.X, process_attr(): Enter!
Sep 04 2010 15:08:53: %ASA-7-715001: Group = radiusACS, IP = X.X.X.X, Processing MODE_CFG Reply attributes.
Sep 04 2010 15:08:53: %ASA-7-713906: Group = radiusACS, Username = user1, IP = X.X.X.X, Authentication Failure: Unsupported server type!
Sep 04 2010 15:08:53: %ASA-7-715065: Group = radiusACS, Username = user1, IP = X.X.X.X, IKE TM V6 FSM error history (struct &0xa7b636a8) , : TM_DONE, EV_ERROR-->TM_AUTH, EV_DO_AUTH-->TM_WAIT_REPLY, EV_CHK_MSCHAPV2-->TM_WAIT_REPLY, EV_PROC_MSG-->TM_WAIT_REPLY, EV_HASH_OK-->TM_WAIT_REPLY, NullEvent-->TM_WAIT_REPLY, EV_COMP_HASH-->TM_WAIT_REPLY, EV_VALIDATE_MSG
Sep 04 2010 15:08:53: %ASA-7-715065: Group = radiusACS, Username = user1, IP = X.X.X.X, IKE AM Responder FSM error history (struct &0xac417310) , : AM_DONE, EV_ERROR-->AM_TM_INIT_XAUTH_V6H, EV_TM_FAIL-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_START_TM-->AM_TM_INIT_XAUTH, EV_START_TM-->AM_PROC_MSG3, EV_TEST_TM_H6
Sep 04 2010 15:08:53: %ASA-7-713906: Group = radiusACS, Username = user1, IP = X.X.X.X, IKE SA AM:f7beee8e terminating: flags 0x0105c001, refcnt 0, tuncnt 0
Sep 04 2010 15:08:53: %ASA-7-713906: Group = radiusACS, Username = user1, IP = X.X.X.X, sending delete/delete with reason message
Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, Username = user1, IP = X.X.X.X, constructing blank hash payload
Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, Username = user1, IP = X.X.X.X, constructing IKE delete payload
Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, Username = user1, IP = X.X.X.X, constructing qm hash payload
Sep 04 2010 15:08:53: %ASA-7-713236: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=e0cd7809) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Sep 04 2010 15:08:53: %ASA-3-713902: Group = radiusACS, Username = user1, IP = X.X.X.X, Removing peer from peer table failed, no match!
Sep 04 2010 15:08:53: %ASA-4-713903: Group = radiusACS, Username = user1, IP = X.X.X.X, Error: Unable to remove PeerTblEntry
Sep 04 2010 15:08:53: %ASA-7-715040: Deleting active auth handle during SA deletion: handle = 1861
Sep 04 2010 15:08:53: %ASA-4-113019: Group = , Username = , IP = 0.0.0.0, Session disconnected. Session Type: , Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown
Regards

Show config not working in ACS "Shell Command Auth set"

To allow an AAA user access to the "show config" command I have created them an account in ACS and assigned the relevant "Shell Auth Set" but it still does not permit them to use it?, I read that this may not be the command that the switch sends the ACS server. Anyone have any ideas (switch is configured with all AAA commands)

Hi,
I am expecting that rest of the shell command authorization configuration is good on the ACS and device. We need to add command show along with the argument in command authorization set. I have attached a sample configuration for reference.
Please verify the configuration of ACS and device before making any changes from keeping your self locked on the device.
ACS Shell Command Authorization Sets on IOS and ASA/PIX/FWSM Configuration Example:-
http://cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

AAA with CatOS and ACS (shell command autorization set)

Hi,
I have an ACS that authenticates and authorizes IOS devices.
I use "shell command autorization set" to authorize some commands for some groups.
Is it possible to do so with CatOS?
For example, I'd like that the groupe FULL can access all command and the group LOW can onmy access "sho" commands?
Regards,
ROMS

Console> (enable) set tacacs server [IP] [primary]
set tacacs key [key]
set tacacs attempts [number] (optional)
set localuser user [user] password [password] privilege 15
set authentication login local enable
set authentication login tacacs enable [all | console | http | telnet] [primary]
set authorization exec enable tacacs+ [deny | none] [console | telnet | both]
set authorization commands enable [config | all] tacacs+ [deny | none] [console |telnet | both]
regards,
~JG

Serial number management only allows whole numbers

Hi
If we have a material that has EA has basis unit of measure and KG for
order unit, when doing goods receipt against purchase order:
Situation 1:
Qty in Unit of Entry 1.000 KG
Qty in SKU 100 EA
Qty in Delivery Note 100 EA
No error message.
Situation2 :
Qty in Unit of Entry 999 KG
Qty in SKU 99,900 EA
Qty in Delivery Note 100 EA
and we get error message serial number management only allows whole
numbers. Quantity delivered is the same in basis unit so why is the
system producing the error message? Is there a way of avoiding this?
BR

Hi,
Serial numbers are maintained for quantity in base unit of measure.
In your example quantity is not a whole number (99,9 EA). 1 serial number is assigned to each unit; however system is unable to create serial number for 0,9 units here.
You cannot use serial number if you have units which have decimals.
Check serial number profile assigned to material in material master.
If stock check is not very important, try to change stock check setting to warning for serial number profile in IMG txn OIS2.
Best regards,
Ramki

ACS shell profile to only allow VPN authentication from TACACS+

Similar Messages

Maybe you are looking for