CSCsw18455 - admin context enable mode credentials compared to system context DB

Similar Messages

• Active-Active firewall Admin context

  Hi all,
  My problem statement was:
  my box is ASA 5585x, since this model have G0/0 - 0/7 sufficient interface, so i no need to do sub-interface for the context.
  My question:
  a. is it cumpulsary must have the admin context on A-A deployment?
  Somehow i read on http://www.techrepublic.com/blog/networking/understand-the-pros-and-cons-of-using-cisco-asa-multiple-context-mode/1413
  it mention that "The Admin Context is not restricted and can be used as any other security context." 
  Can i just exclude this admin context?
  b. Refer to my config snipet, can i just allocate management interface to the admin context, instead of allocate it to any inside/outside interface?
  c. Is it a good practice not to use the same interface to do LAN failover and stateful failover? I facing the problem of "ghost image" when i enable the multiple mode and both LAN/stateful failover on same interface.
  thanks
  Noel
  P.S: Config snipet
  admin-context admin
  context admin
    allocate-interface Management0/0
    config-url disk0:/admin.cfg
    join-failover-group 1
  context public-internet
    allocate-interface GigabitEthernet0/0
    allocate-interface GigabitEthernet0/1
    config-url disk0:/public-intenet.cfg
    join-failover-group 2
  context secure-voice
    allocate-interface GigabitEthernet0/2
    allocate-interface GigabitEthernet0/3
    allocate-interface GigabitEthernet0/4
    config-url disk0:/secure-voice.cfg
    join-failover-group 1

  Hi Varun,
  Thanks for reply.
  Appearnatly my ASA 5585x box facing "ghost image" on the home screen, where it cannot display the real time traffic at the panel.
  My concern come to split my previous LAN/State failover interface to seperate interface then, just hope it can solve the problem.
  I am now using ASDM 6.47, according to cisco statement it's been solve on this issue, but it seems still happen on my case.
  Any command can let me troubleshoot on this?
  Thanks
  Noel

• Table is not enable mode

  Hi Gurus,
  I am creating a webdynpro in that I created a couple of tables when I am running the application it is indisable mode. I want it to be in enable mode to enter some data. Please help me as this is very urgent.
  Thanks
  Venu

  Hi KodaliVenu,
  I will explain u with an example.
  Let ur view name be ' MyView '
  Let ur table have 2 columns: First Name and Last Name
  Let ur Context node be ' Root ' (cardinality 0..N) and ' firstname ' and ' lastname ' be two attributes of type string under ' Root'.
  Do the following
  1. Create a table with two columns, each column with tablecele editor as InputField
  2. Bind the DataSource property of table with node ' Root '
  3. Bind fistname input field with context variable ' firstname '
  4. Bind lastname input field with context variable ' lastname '
  5. in wdDoIni(), do the following
     IPrivateMyview.IRootNode root=wdContext.nodeRoot();
     IPrivateMyview.IRootElement rootEl;
     for(int i=0;i<5;i++)
       rootEl=root.createRootElement();
       root.addElement(rootEl);
     The above code will create 5 rows in table, with two columns, which willl be editable

• Enable mode authorization failed.

  Have a user that cannot get to en prompt. Here is my trace output:
  AAA/AUTHEN: update_user user='lduncan' ruser='(null)' port='telnet146' rem_addr=
  '10.128.20.110' authen_type=1 service=ENABLE priv=152007 Oct 16 10:57:07.360 EST
  -04:00
  AAA/AUTHEN/START (0): port='telnet146' list='(null)' action=LOGIN service=ENABLE
  TAC+: send AUTHEN/START packet ver=192 id=626074205
  TAC+: Opening TCP/IP connection to 10.129.12.196
  TAC+: ver=192 id=626074205 received AUTHEN status = GETPASS2007 Oct 16 10:57:08.
  440 EST -04:00
  AAA/AUTHEN (626074205): status = GETPASSPassword: 2007 Oct 16 10:57:11.200 EST -
  04:00 *62*2007 Oct 16 10:57:11.440 EST -04:00 *69*2007 Oct 16 10:57:11.800 EST -
  04:00 *67*2007 Oct 16 10:57:12.050 EST -04:00 *74*2007 Oct 16 10:57:12.300 EST -
  04:00 *6f*2007 Oct 16 10:57:12.530 EST -04:00 *65*
  2007 Oct 16 10:57:12.950 EST -04:00
  AAA/AUTHEN/CONT (626074205): continue_login2007 Oct 16 10:57:12.950 EST -04:00
  AAA/AUTHEN (626074205): status = GETPASS
  TAC+: send AUTHEN/CONT packet id=626074205
  TAC+: ver=192 id=626074205 received AUTHEN status = PASS2007 Oct 16 10:57:13.460
  EST -04:00
  AAA/AUTHEN (626074205): status = PASS2007 Oct 16 10:57:13.460 EST -04:00 return
  PASS
  2007 Oct 16 10:57:13.460 EST -04:00
  AAA/AUTHOR : ptr2=enable
  2007 Oct 16 10:57:13.470 EST -04:00
  AAA/AUTHOR : Add AV service=shell
  2007 Oct 16 10:57:13.470 EST -04:00
  AAA/AUTHOR : Add AV cmd=enable
  2007 Oct 16 10:57:13.470 EST -04:00
  AAA/AUTHOR/TACACS+ cmd author (413075467): Port='telnet146' list='(null)' servic
  e=CMD2007 Oct 16 10:57:13.480 EST -04:00
  AAA/AUTHOR/TACACS+ cmd author: (413075467) user='lduncan'2007 Oct 16 10:57:13.4
  80 EST -04:00
  AAA/AUTHOR/TACACS+ cmd author: (413075467) send AV service=shell2007 Oct 16 10:5
  7:13.480 EST -04:00
  AAA/AUTHOR/TACACS+ cmd author: (413075467) send AV cmd=enable
  AAA/AUTHOR/TACACS+ cmd author: (413075467) Method=TAC_PLUS2007 Oct 16 10:57:13.4
  90 EST -04:00
  AAA/AUTHOR/TAC+: (413075467): user=lduncan2007 Oct 16 10:57:13.490 EST -04:00
  AAA/AUTHOR/TAC+: (413075467): send AV service=shell2007 Oct 16 10:57:13.490 EST
  -04:00
  AAA/AUTHOR/TAC+: (413075467): send AV cmd=enable
  TAC+: Opening TCP/IP connection to 10.129.12.196
  TAC+: (413075467): received author response status = FAIL2007 Oct 16 10:57:14.50
  0 EST -04:00
  AAA/AUTHOR (413075467): Post authorization status = FAIL2007 Oct 16 10:57:14.500
  EST -04:00
  AAA/AUTHOR : do_author result=12007 Oct 16 10:57:14.500 EST -04:00 %AAA: author:
  tacacs_plus_author ret=1.
  Enable mode authorization faile
  I have checked his user info and group info in tacacs.

  It seems that you have command author configured that is why user in not able to issue it.
  What kind of user is it ? Admin or normal user.
  To make him login you need to make changes in the command author set.
  Make one command autho set in acs --->shared profile componenets.
  add-->give any name "Full access "---> Put radio button to permit and submit.
  Now go to that group-->Under Shell Command Authorization Set---> Choose--->Assign a Shell Command Authorization Set for any network device and select FULL ACCESS from list and submit apply.
  Now it should let you in.
  Caution : This is let that uses to issue all commands
  Also provide me more info if you want user to deny some commands. We need to set up command autho set accordingly.
  Regards,
  ~JG
  Please rate helpful posts

• Cannot Telnet Admin Context

  Hello,
  We are having issues with our Cisco ACE 4710, it suddenly stopped to telnet admin context.
  We are able to telnet another context from the same appliance, but unable to telnet the admin context. Is possible to pings the gateways from the other contexts, but we are not able to ping the gateway from the admin context.
  Actual we have 5 context with the minimum allocation is 10%.
  resource-class Contextss
    limit-resource all minimum 10.00 maximum unlimited
  ACL and policy map allowing telnet and etc are enable and configured on the interface.
  Cisco Ace Version A3(2.0), we tried the version A5(2.0) with no sucess.
  On the interface vlan of the management we are having the increment of "Config download failures : 16"

  Hello-
    Please get a TAC case open for this.  Configuration Download failures occur when the ACE is unable to program the hardware internally.  Most often, these are bugs.  However, there are many other reasons you could also not be able to get to telnet that they will have to investigate (i.e., ACE only allows a certain number of managment conections by default. If you had other sessions still open, you can lock youself out. console access should always work in this scenario, and you can manually clear the sessions. )
  Regards,
  Chris Higgins

• Unable to conect to BI Admin in online mode OBIEE 11g

  Hi All,
  We are using OBIEE 11g . We are unable to connect to BI Admin in online mode. All servers (admin server, biserver) are up and running fine. Checked the staus of all the servers in command prompt, it showed ALIVE.
  We are able to connect in offline mode.
  Able to connect till yesterday and faced no problems. suddenly problem occured. Once the problem occured restarted all the servers but still unable to connect in online mode.
  ERROR Description:[nQSError:43126] Authentication failed:Invalid Username/Password.
  [nQSError:37001] could not connect to the BI Server instance.
  Thanks.
  Edited by: RAJ on Apr 12, 2011 11:14 PM

  Can you find any errors in NQSAdminTool.log?
  Please see if these docs help.
  Cannot Open Repository In Online Mode with BI Administration Tool [ID 850921.1]
  Unable To Access RPD In Online Mode Using The Oracle BI Administration Tool, Error "Logon Failed" [ID 1206870.1]
  How to fix “Unable to Sign in. An error occured during Authentication" error when a user logs in OBIEE 11g [ID 1302924.1]
  Cannot Log Into OBIEE Administrator RPD File In Online Mode [ID 1128883.1]
  Thanks,
  Hussein

• ISE Admin Access with AD Credentials fails after upgrade 1.2.1 to 1.3.0

  Hello,
  After upgrading ISE VM from 1.2.1 to 1.3.0.876, I can't connect on ISE with AD Credentials (Invalid Username or Password). It worked find before upgrading to 1.3.
  On another ISE VM in 1.3.0.876 version (w/o upgrade) with this kind of configuration, it's OK.
  I have double check the Post-upgrade tasks (particularly rejoining Active Directory). Everything worked find after this upgrade except the admin access with AD credentials.
  I don't use user certificate-based authentication for admin access. So I didn't execute application start ise safe CLI.
  My 802.1x wireless users passed authentication with AD credentials. So the ISE had correctly join my AD.
  I didn't find anything related to this admin access with AD credentials failure in the output of show logging application ise and show logging.
  I don't find anything related to this in bug search on Cisco tools.
  I tried to :
  - update the SID of my Admin AD Group, the result is still the same.
  - delete my admin access with AD credentials configuration then make this configuration again, but still the same error.
  Any ideas on this ? Could I find elements in another log ?
  Regards.

  Dear Markus,
  After logging as user "prdadm"
  su - prdadm
  bssltests% bash-3.00$ ls -a
  .                            .dbenv_bssltests.sh-old      .sapenv_bssltests.sh         startdb.log
  ..                           .dbenv_bssltests.sh-old10    .sapenv_bssltests.sh-new     startsap_.log
  .bash_history                .dbsrc_bssltests.csh         .sapenv_bssltests.sh-old10   startsap_DVEBMGS00.log
  .cshrc                       .dbsrc_bssltests.sh          .sapsrc_bssltests.csh        startsap_DVEBMGS01.log
  .dbenv_bssltests.csh         .login                       .sapsrc_bssltests.sh         stopdb.log
  .dbenv_bssltests.csh-new     .profile                     dev_sapstart                 stopsap_.log
  .dbenv_bssltests.csh-old     .sapenv_bssltests.csh        local.cshrc                  stopsap_DVEBMGS00.log
  .dbenv_bssltests.csh-old10   .sapenv_bssltests.csh-new    local.login                  stopsap_DVEBMGS01.log
  .dbenv_bssltests.sh          .sapenv_bssltests.csh-old    local.profile                trans.log
  .dbenv_bssltests.sh-new      .sapenv_bssltests.csh-old10  sqlnet.log
  bash-3.00$
  bash-3.00$
  I have changed envt settings in .dbenv_bssltests.csh & .dbenv_bssltests.sh
  .sapenv_bssltests.sh & .sapenv_bssltests.csh  [4 files]
  Regards,
  Ankita

• RSA SecurID and Cisco ACS integration for user(s) with enable mode

  I thought I had this problem figured out but I guess not.
  I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
  router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
  I use tacacs+ authentication for logging into the Cisco router
  such as telnet and ssh. In the ACS I use "external user databases"
  for authentication which proxy the request from the ACS over
  to the RSA SecurID Server. I installed RSA Agents with
  sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
  to be "RSA_SecurID" group. In the "External user databases" and
  "database configurations" I assign SecurID to this "RSA_SecurID"
  group.
  Everything is working fine. In the "User Setup" I can see dynamic
  user test1, test2,...testn listed in there as "dynamic users". In
  other words, I can telnet into the router with my two-factor
  SecurID.
  The problem is that if test1 wants to go into "enable" mode with
  SecurID login, I have to go into "test1" user setting and select
  "TACACS+Enable Password" and choose "Use external database password".
  After that, test1 can go into enable mode with his/her SecurID
  credential.
  Well, this works fine if I have a few users. The problem is that
  I have about 100 users that I need to do this. The solution is
  clearly not scalable. Is there a setting from group level that
  I can do this?
  Any ACS "experts" want to help me out here? Thanks.

  That is not what I want. I want user "test1" to be able to do this:
  C
  Username: test1
  Enter PASSCODE:
  C2960>en
  Enter PASSCODE:
  C2960#
  In other words, test1 user has to type in his/her RSA token password to get
  into exec mode. After that, he/she has to use the RSA token password to
  get into enable mode. Each user can get into "enable" mode with his/her
  RSA token mode.
  The way you descripbed, it seemed like anyone in this group can go directly
  into enable mode without password. This is not what I have in mind.
  Any other ideas? Thanks.

• Admin Context - Do i need to assign interfaces for Mgmt?

  I am building out 2 virtual firewalls using contexts in an active/active F/O pair, and would like to know if it is necessary to assign at least one interface to the admin context?
  My other contexts will have outside, inside, DMZ and stateful F/O interfaces.  And i plan on administering these contexts by SSH to the inside of one of the active Firewall contexts.
  Also from what i am reading i see the system/admin context does AAA, Syslog, F/O config, interface allocations, etc.  So, in the Firewalls I assume i dont need to configure AAA, syslog, etc.  Is this a correct statement?
  Thanks,
  Mike

  We do not assign interfaces to admin context but to do assign interfaces to other context from admin. So innitially you get only admin context from where you allocate interface/resources to other contexts.
  Here are the links for ref-
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml
  Thanks
  Ajay

• Screen Exit: desiable to Enable mode

  Hi,
  In HUPAST Tcode , on Standard screen there is disable field VEMEH i.e UOM unit of Measurment filed.
  I want it should be in enable mode .  input and output fields.
  how to change it ?

  Hi,
  I think it is not possible becuase i tried and that filed editable but after that system was giving dumps.
  But you can create a message on SAP Market place and ask to SAP. They might help you.
  Thanks,

• Displaying std field in enable mode after throwing error msg

  Hi experts,
  I have a requirement where i need to  check the value enterred in standard field (final grade) of infotype 0022 and need to throw error message, when the user click save button in PA30.
  But the problem is, if i throw Error message, that field becomes disable and the user have to go back and come back for entering the correct value. So, my requirement is taht the field should still be in enable mode even after getting the error message.
  pls tell me how to achive the same?

  Hi Shanti,
  You don't need to display a message of type ERROR as this will lock the screen and will prevent the user from providing further input. You can use the following thing
  MESSAGE i001 DISPLAY LIKE 'E'.
  This will serve your purpose by displaying the error but will not lock the screen field and thus will not prevent the user from further input.
  Have a look at the following link for more details : [ MESSAGE KEYWORD|http://help.sap.com/abapdocu_70/en/ABAPMESSAGE_OPTIONS.htm]
  Hope this will help.
  Thanks,
  Samantak.

• ASA enable mode with ACS

  Hi
  When I SSH to my ASA is there anyway to go straight to enable mode? We use RSA SecurID which means I have to wait for the token to change before I go into enable mode at the moment.
  ASA config:
  aaa authentication ssh console CISCO-ACS LOCAL
  aaa authentication serial console CISCO-ACS LOCAL
  aaa authentication http console CISCO-ACS LOCAL
  aaa authorization command CISCO-ACS LOCAL
  aaa accounting enable console CISCO-ACS
  aaa accounting serial console CISCO-ACS
  aaa accounting ssh console CISCO-ACS
  aaa accounting command CISCO-ACS
  ACS config (Group Level)
  Privilege level 15
  Read/write command authorisation set
  Thanks

  Unfortunately that is not possible as ASA does not support Exec Authorization.
  Regards,
  ~JG
  Do rate helpful posts

• Show history no longer works above enable mode

  Somewhere in the 15.2 train I noticed I could no longer see the command history in global config or any other config mode. It only works in enable mode.
  Has anyone else noticed this?
  Do I now have to enable show history for config mode?

  Hi Jason,
  I didn't know so far that the output of "do show history" in config mode shows the config commands too, particulary because the command description only says:
  To list the commands you have entered in the current EXEC session, use the show history command in EXEC mode.
  But your're right, with my 12.4(21) it does:
  R1(config)#do show history int loop0 ip addr 192.168.1.1 255.255.255.0 end
  However, if they've changed that behavior somewhere in 15.2, there's a simple alternative:
  R1#show run | b ^archivearchive     log config      logging enable      hidekeys!R1#show archive log config all idx   sess           user@line      Logged command 1     3        console@console  |interface Loopback0 2     3        console@console  | ip address 192.168.1.1 255.255.255.0
  That's even better because the archive remains after logoff.
  Hope that helps
  Rolf

• Log into Device with AAA, how do I get right into enable mode?

  I am using a Cisco ACS server with an RSA server behind it. When the user is authenticated from the ACS server, I want them to go straight into enable mode, not have to type the enable mode password. What line am I missing?
  aaa authentication login ACS group ACS_servers local enable
  aaa authorization exec ACS group ACS_servers local
  aaa authorization commands 15 ACS group ACS_servers local
  aaa accounting commands 1 default start-stop group ACS_servers
  aaa accounting commands 15 default start-stop group ACS_servers
  line vty 0 5
  login authentication ACS
  authorization commmands 15 ACS

  The configuration in question is for telnet, but I do need to design my new console access connection. Console access would be either remotely or on-site, but I don't feel comfortable giving priv 15 right into it. I plan to use the same authentication method on the console (ACS group 1st, local database 2nd) and will just have to enter the enable password through the console.
  One more question on the aaa config, I kept getting this error in the log:
  AAA/AUTHOR: config command authorization not enabled
  So I added:
  aaa authorization config-commands
  I don't know if it was needed because I could still execute config-commands, but it kept giving me that warning if I didn't have that line.
  Also, do I really need this line if the ACS server is taking care of priv 15 authorization:
  aaa authorization commands 15 ACS if-authenticated

• Logging directly into enable mode on a PIX using TACACS

  I have setup TACACS authentication on a PIX running 6.3(3). I can authenticate using TACACS just fine, but do not get put directly into enable mode. The ACS server is setup to do so, it works for routers and switches, but not the PIX box. If I put the "aaa authentication enable console TACACS" in the config I must enter the enable command and use the same password I logged in with to get into enable mode. Without the command, I have to use the configured enable secret password to get into the enable mode.
  Does anyone know it there is a way to configure the PIX to log someone directly into enable mode via TACACS?
  Thanks in advance

  Hi,
  PIX does not support exec authorization. Hence user cannot login to level 15 directly.
  Regards,
  Vivek