Enable mode on 2112 WLC

Similar Messages

• RSA SecurID and Cisco ACS integration for user(s) with enable mode

  I thought I had this problem figured out but I guess not.
  I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
  router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
  I use tacacs+ authentication for logging into the Cisco router
  such as telnet and ssh. In the ACS I use "external user databases"
  for authentication which proxy the request from the ACS over
  to the RSA SecurID Server. I installed RSA Agents with
  sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
  to be "RSA_SecurID" group. In the "External user databases" and
  "database configurations" I assign SecurID to this "RSA_SecurID"
  group.
  Everything is working fine. In the "User Setup" I can see dynamic
  user test1, test2,...testn listed in there as "dynamic users". In
  other words, I can telnet into the router with my two-factor
  SecurID.
  The problem is that if test1 wants to go into "enable" mode with
  SecurID login, I have to go into "test1" user setting and select
  "TACACS+Enable Password" and choose "Use external database password".
  After that, test1 can go into enable mode with his/her SecurID
  credential.
  Well, this works fine if I have a few users. The problem is that
  I have about 100 users that I need to do this. The solution is
  clearly not scalable. Is there a setting from group level that
  I can do this?
  Any ACS "experts" want to help me out here? Thanks.

  That is not what I want. I want user "test1" to be able to do this:
  C
  Username: test1
  Enter PASSCODE:
  C2960>en
  Enter PASSCODE:
  C2960#
  In other words, test1 user has to type in his/her RSA token password to get
  into exec mode. After that, he/she has to use the RSA token password to
  get into enable mode. Each user can get into "enable" mode with his/her
  RSA token mode.
  The way you descripbed, it seemed like anyone in this group can go directly
  into enable mode without password. This is not what I have in mind.
  Any other ideas? Thanks.

• Screen Exit: desiable to Enable mode

  Hi,
  In HUPAST Tcode , on Standard screen there is disable field VEMEH i.e UOM unit of Measurment filed.
  I want it should be in enable mode .  input and output fields.
  how to change it ?

  Hi,
  I think it is not possible becuase i tried and that filed editable but after that system was giving dumps.
  But you can create a message on SAP Market place and ask to SAP. They might help you.
  Thanks,

• Displaying std field in enable mode after throwing error msg

  Hi experts,
  I have a requirement where i need to  check the value enterred in standard field (final grade) of infotype 0022 and need to throw error message, when the user click save button in PA30.
  But the problem is, if i throw Error message, that field becomes disable and the user have to go back and come back for entering the correct value. So, my requirement is taht the field should still be in enable mode even after getting the error message.
  pls tell me how to achive the same?

  Hi Shanti,
  You don't need to display a message of type ERROR as this will lock the screen and will prevent the user from providing further input. You can use the following thing
  MESSAGE i001 DISPLAY LIKE 'E'.
  This will serve your purpose by displaying the error but will not lock the screen field and thus will not prevent the user from further input.
  Have a look at the following link for more details : [ MESSAGE KEYWORD|http://help.sap.com/abapdocu_70/en/ABAPMESSAGE_OPTIONS.htm]
  Hope this will help.
  Thanks,
  Samantak.

• ASA enable mode with ACS

  Hi
  When I SSH to my ASA is there anyway to go straight to enable mode? We use RSA SecurID which means I have to wait for the token to change before I go into enable mode at the moment.
  ASA config:
  aaa authentication ssh console CISCO-ACS LOCAL
  aaa authentication serial console CISCO-ACS LOCAL
  aaa authentication http console CISCO-ACS LOCAL
  aaa authorization command CISCO-ACS LOCAL
  aaa accounting enable console CISCO-ACS
  aaa accounting serial console CISCO-ACS
  aaa accounting ssh console CISCO-ACS
  aaa accounting command CISCO-ACS
  ACS config (Group Level)
  Privilege level 15
  Read/write command authorisation set
  Thanks

  Unfortunately that is not possible as ASA does not support Exec Authorization.
  Regards,
  ~JG
  Do rate helpful posts

• Show history no longer works above enable mode

  Somewhere in the 15.2 train I noticed I could no longer see the command history in global config or any other config mode. It only works in enable mode.
  Has anyone else noticed this?
  Do I now have to enable show history for config mode?

  Hi Jason,
  I didn't know so far that the output of "do show history" in config mode shows the config commands too, particulary because the command description only says:
  To list the commands you have entered in the current EXEC session, use the show history command in EXEC mode.
  But your're right, with my 12.4(21) it does:
  R1(config)#do show history int loop0 ip addr 192.168.1.1 255.255.255.0 end
  However, if they've changed that behavior somewhere in 15.2, there's a simple alternative:
  R1#show run | b ^archivearchive     log config      logging enable      hidekeys!R1#show archive log config all idx   sess           user@line      Logged command 1     3        console@console  |interface Loopback0 2     3        console@console  | ip address 192.168.1.1 255.255.255.0
  That's even better because the archive remains after logoff.
  Hope that helps
  Rolf

• Log into Device with AAA, how do I get right into enable mode?

  I am using a Cisco ACS server with an RSA server behind it. When the user is authenticated from the ACS server, I want them to go straight into enable mode, not have to type the enable mode password. What line am I missing?
  aaa authentication login ACS group ACS_servers local enable
  aaa authorization exec ACS group ACS_servers local
  aaa authorization commands 15 ACS group ACS_servers local
  aaa accounting commands 1 default start-stop group ACS_servers
  aaa accounting commands 15 default start-stop group ACS_servers
  line vty 0 5
  login authentication ACS
  authorization commmands 15 ACS

  The configuration in question is for telnet, but I do need to design my new console access connection. Console access would be either remotely or on-site, but I don't feel comfortable giving priv 15 right into it. I plan to use the same authentication method on the console (ACS group 1st, local database 2nd) and will just have to enter the enable password through the console.
  One more question on the aaa config, I kept getting this error in the log:
  AAA/AUTHOR: config command authorization not enabled
  So I added:
  aaa authorization config-commands
  I don't know if it was needed because I could still execute config-commands, but it kept giving me that warning if I didn't have that line.
  Also, do I really need this line if the ACS server is taking care of priv 15 authorization:
  aaa authorization commands 15 ACS if-authenticated

• Radius compatibility mode settings in WLC

  our users are using some 3rd party radius server for MAC address auth. I found there is a setting called Radius compatibility mode in the WLC configuration. But there is no document talking about what this setting does for.
  So should I set it to use "Other" or just leave it as "Cisco ACS"?

  This determines what password is used for mac authentication. ACS expects to see the username and password to both be the mac address for mac authentication. Free Radius uses a shared secret for a password. And other Radius servers don't require any password for mac auths sent to the server.

• Logging directly into enable mode on a PIX using TACACS

  I have setup TACACS authentication on a PIX running 6.3(3). I can authenticate using TACACS just fine, but do not get put directly into enable mode. The ACS server is setup to do so, it works for routers and switches, but not the PIX box. If I put the "aaa authentication enable console TACACS" in the config I must enter the enable command and use the same password I logged in with to get into enable mode. Without the command, I have to use the configured enable secret password to get into the enable mode.
  Does anyone know it there is a way to configure the PIX to log someone directly into enable mode via TACACS?
  Thanks in advance

  Hi,
  PIX does not support exec authorization. Hence user cannot login to level 15 directly.
  Regards,
  Vivek

• Enable mode using privilege levels

  Hi All,
  We use TACACS+ for telnet access and enable secret password for privileged access. An user would like to enter the enable mode without entering the enable secret password. Is it possible to do this using privilege levels and shell exec on the AAA server?

  I have configured a user on AAA server and under the enable options, I have selected level 15 and under shell exec, I have selected privilege level 15.
  The router has following config
  aaa authorization exec default tacacs+ if-authenticated
  aaa authorization commands 1 default tacacs+ if-authenticated
  aaa authorization commands 15 default tacacs+ if-authenticated
  Am I missing any other commands?

• How to skip enable mode password prompt.

  Hi,
  I just installed ACS 4.1 (first time working with ACS). Everything is working great and I'm using the ACS internal database for user authentication.
  The question I have is this. When logging into a router, which is authenticating against the ACS server, is there a way to bypass having to enter my password a second time to get to enable mode??
  Currently, I have to enter my username and password to login to the router and when I go to enable mode, I have to re-enter my password again.
  Any help is greatly appreciated.
  Thanks,
  Tony

  Hi,
  Here's my two penny's worth;
  I would take off the "authorization" lines as these are only needed to authorize exec and commands:
  no aaa authorization exec default group tacacs+ if-authenticated
  no aaa authorization commands 15 default group tacacs+ if-authenticated
  I would also remove the authentication enable line as this tells the device to authenticate enable mode access
  no aaa authentication enable default group tacacs+ enable
  And just test with the authentication login line, leave the accounting lines for now
  I would double check the following in ACS:
  Is the device in the right NDG?
  Do you have Per Group Defined Network Access Restrictions defined for this device?
  Is the user in the right group?
  In the group settings, Check you have Shell(exec) enabled, Privilege level set to 15, and under Enable Options ensure you have the right Priv level defined, per device, per group etc.
  Do you have either Shell Command Authorization Set or Per Group Command Authorization radio button selected?
  If you have Shell Command Authorization Set for the group ensure you have Unmatched Commands Permit selected.
  And authentication should be ok, then you can troubleshoot the authorization part...
  Is this on an appliance or other operating system? My experience of the appliances are that they're pretty c**p, too many bugs and little things that don't work...
  Just for info, you should have a last resort local username configured if ACS is down:
  username priv 15 password
  This will give you local access, and, if you find you have access issues as you have, you can remove the device from ACS, so it doesn't know about it, the device will try ACS not a get a response after the timeout period and prompt you for your username, enter your local password and you're in...
  I hope this helps...

• Table is not enable mode

  Hi Gurus,
  I am creating a webdynpro in that I created a couple of tables when I am running the application it is indisable mode. I want it to be in enable mode to enter some data. Please help me as this is very urgent.
  Thanks
  Venu

  Hi KodaliVenu,
  I will explain u with an example.
  Let ur view name be ' MyView '
  Let ur table have 2 columns: First Name and Last Name
  Let ur Context node be ' Root ' (cardinality 0..N) and ' firstname ' and ' lastname ' be two attributes of type string under ' Root'.
  Do the following
  1. Create a table with two columns, each column with tablecele editor as InputField
  2. Bind the DataSource property of table with node ' Root '
  3. Bind fistname input field with context variable ' firstname '
  4. Bind lastname input field with context variable ' lastname '
  5. in wdDoIni(), do the following
     IPrivateMyview.IRootNode root=wdContext.nodeRoot();
     IPrivateMyview.IRootElement rootEl;
     for(int i=0;i<5;i++)
       rootEl=root.createRootElement();
       root.addElement(rootEl);
     The above code will create 5 rows in table, with two columns, which willl be editable

• Using AAA for enable mode

  I used to use TACACS and ACS to enable active directory accounts to be used for enable mode. After using their AD account to ssh or telnet you would then type enable and then use your AD password. Now I don't have TACACS and need to use Radius, IAS, on a windows server. I have telnet and ssh setup to use the AD accounts, but how/can I set up the enable mode to use AD accounts?
  thank you,
  Bill

  Bill,
  Enable authentication was meant to function with TACACS, and when used with RADIUS it does not perform the same. As a result, the only way for you to get enable authentication to work with RADIUS would be to input the username $enab15$ into your RADIUS server and every user would need to use that password to login to enable mode.
  Regards,
  ~JG
  Do rate helpful post

• Enable mode authorization failed.

  Have a user that cannot get to en prompt. Here is my trace output:
  AAA/AUTHEN: update_user user='lduncan' ruser='(null)' port='telnet146' rem_addr=
  '10.128.20.110' authen_type=1 service=ENABLE priv=152007 Oct 16 10:57:07.360 EST
  -04:00
  AAA/AUTHEN/START (0): port='telnet146' list='(null)' action=LOGIN service=ENABLE
  TAC+: send AUTHEN/START packet ver=192 id=626074205
  TAC+: Opening TCP/IP connection to 10.129.12.196
  TAC+: ver=192 id=626074205 received AUTHEN status = GETPASS2007 Oct 16 10:57:08.
  440 EST -04:00
  AAA/AUTHEN (626074205): status = GETPASSPassword: 2007 Oct 16 10:57:11.200 EST -
  04:00 *62*2007 Oct 16 10:57:11.440 EST -04:00 *69*2007 Oct 16 10:57:11.800 EST -
  04:00 *67*2007 Oct 16 10:57:12.050 EST -04:00 *74*2007 Oct 16 10:57:12.300 EST -
  04:00 *6f*2007 Oct 16 10:57:12.530 EST -04:00 *65*
  2007 Oct 16 10:57:12.950 EST -04:00
  AAA/AUTHEN/CONT (626074205): continue_login2007 Oct 16 10:57:12.950 EST -04:00
  AAA/AUTHEN (626074205): status = GETPASS
  TAC+: send AUTHEN/CONT packet id=626074205
  TAC+: ver=192 id=626074205 received AUTHEN status = PASS2007 Oct 16 10:57:13.460
  EST -04:00
  AAA/AUTHEN (626074205): status = PASS2007 Oct 16 10:57:13.460 EST -04:00 return
  PASS
  2007 Oct 16 10:57:13.460 EST -04:00
  AAA/AUTHOR : ptr2=enable
  2007 Oct 16 10:57:13.470 EST -04:00
  AAA/AUTHOR : Add AV service=shell
  2007 Oct 16 10:57:13.470 EST -04:00
  AAA/AUTHOR : Add AV cmd=enable
  2007 Oct 16 10:57:13.470 EST -04:00
  AAA/AUTHOR/TACACS+ cmd author (413075467): Port='telnet146' list='(null)' servic
  e=CMD2007 Oct 16 10:57:13.480 EST -04:00
  AAA/AUTHOR/TACACS+ cmd author: (413075467) user='lduncan'2007 Oct 16 10:57:13.4
  80 EST -04:00
  AAA/AUTHOR/TACACS+ cmd author: (413075467) send AV service=shell2007 Oct 16 10:5
  7:13.480 EST -04:00
  AAA/AUTHOR/TACACS+ cmd author: (413075467) send AV cmd=enable
  AAA/AUTHOR/TACACS+ cmd author: (413075467) Method=TAC_PLUS2007 Oct 16 10:57:13.4
  90 EST -04:00
  AAA/AUTHOR/TAC+: (413075467): user=lduncan2007 Oct 16 10:57:13.490 EST -04:00
  AAA/AUTHOR/TAC+: (413075467): send AV service=shell2007 Oct 16 10:57:13.490 EST
  -04:00
  AAA/AUTHOR/TAC+: (413075467): send AV cmd=enable
  TAC+: Opening TCP/IP connection to 10.129.12.196
  TAC+: (413075467): received author response status = FAIL2007 Oct 16 10:57:14.50
  0 EST -04:00
  AAA/AUTHOR (413075467): Post authorization status = FAIL2007 Oct 16 10:57:14.500
  EST -04:00
  AAA/AUTHOR : do_author result=12007 Oct 16 10:57:14.500 EST -04:00 %AAA: author:
  tacacs_plus_author ret=1.
  Enable mode authorization faile
  I have checked his user info and group info in tacacs.

  It seems that you have command author configured that is why user in not able to issue it.
  What kind of user is it ? Admin or normal user.
  To make him login you need to make changes in the command author set.
  Make one command autho set in acs --->shared profile componenets.
  add-->give any name "Full access "---> Put radio button to permit and submit.
  Now go to that group-->Under Shell Command Authorization Set---> Choose--->Assign a Shell Command Authorization Set for any network device and select FULL ACCESS from list and submit apply.
  Now it should let you in.
  Caution : This is let that uses to issue all commands
  Also provide me more info if you want user to deny some commands. We need to set up command autho set accordingly.
  Regards,
  ~JG
  Please rate helpful posts

• Aaa authorization (device doesn't always go into enable mode)

  When I log into the 4500 switch with my domain account, I get priv 1 only and have to “enable” with the local enable password to get to priv 15.  How do I set this up to get directly to enable? The ACS 5.1 is setup with a authorization/shell profile for Priv 15, no problems there.
  2821-RTR2#show run | incl aaa
  aaa new-model
  aaa authentication login default group tacacs+ local enable
  aaa authentication login CONSOLE local-case line
  aaa authorization exec default group tacacs+ none
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa session-id common
  4500 that drops into enable mode
  4500-SW1#show run | incl aaa
  aaa new-model
  aaa authentication login default group tacacs+ local enable
  aaa authentication login CONSOLE local-case line
  aaa authorization exec default group tacacs+ none
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa session-id common

  On the non-working device enable:
  debug aaa authen
  debug aaa author
  debug tacacs
  and post the results.
  Also, on ACS 5.1 review the details for the authen/author on both the working and non-working devices and see if the desired shell profile is picked for the non-working device.