Help in command aaa authentication
Hi,
Could someone explain this command
aaa authentication login default
what does the authentication default to when we are not providing any authentication such as local or group radius.
Thanks
Jason
Hi Jason,
This command would generate a error such as :-
R(config)#aaa authentication login default
% Incomplete command.
we need to specify an auth method.
Regards,
Vivek
Similar Messages
-
Aaa authentication enable command
Hi,
If I configure following command, how can I enter enable user name and password to get into enable prompt? Can someone explain to me how to enable tacacs autherntication for enable access?
"aaa authentication enable default group tacacs+ enable",
TIA
krishnaAssuming that your IOS device is otherwise correctly configured for TACACS (has the proper TACACS server address, proper TACACS key) and that the TACACS server is configured to recognize and process this machine as a client for authentication, then using this command:
aaa authentication enable default group tacacs+ enable
will cause the IOS device to send an authentication request to the TACACS server when someone attempts to access privilege mode. If the TACACS server does not respond the IOS device will use the local enable secret (or password) to authenticate enable mode. This is the only thing that you must do on the IOS device. On the TACACS server you must be sure that the user ID is correctly configured for access to this device and the user is checked for level 15 access.
HTH
Rick -
Aaa authentication enable default group tacacs+ enable
I am implementing CSACS 4.0. First on the client, I will apply aaa authenticatio/ authorization under vty. The issure if I use the followin command
aaa authentication enable default group tacacs+ enable
what will happen if I login via console? Will I be required to enter any username/password?
Below is my configuration
aaa new-model
aaa authentication login authvty group TACACS + local
aaa authentication enable default group tacacs+ enable
aaa authorization commands 15 authvty TACACS+ local
TACACS-server host IP
Tacacs-server key key
Ip tacacs source-interface VLAN 3
aaa accounting send stop-record authentication failure
aaa accounting delay-start
aaa accounting exec authvty start-stop group tacacs+
aaa accounting commands 15 authvty start-stop group tacacs+
aaa accounting connection authvty start-stop group tacacs+
line vty 0 15
login authentication authvty
authorization commands 15 authvty
accounting connection authvty
accounting commands 15 authvty
accunting exec authvty
Any suggestion will be appreciated!It should work because this is a message.banner prompt everytime you try to login (console/vty). I have it configured on my router.
If you have banner motd, it will be displayed as well (see below). So I ahve to remove it to get only the aaa banner & prompt being displayed:
*** Username: cisco, Password: cisco (priv 15f - local) ****
Unauthorized use is prohibited.
Enter your name here: user1
Enter your password now:
Router#
The config more or less looks like:
aaa new-model
aaa authentication banner ^CUnauthorized use is prohibited.^C
aaa authentication password-prompt "Enter your password now:"
aaa authentication username-prompt "Enter your name here:"
aaa authentication login default group radius
aaa authentication login CONSOLE local
HTH
AK -
AAA Authentication & Accounting using Tacacs+ Commands order
In the cisco Remote Access Companion guide book page 394 we have got this configuration lines :
RTA(config)#tacacs-server host 192.168.0.11
RTA(config)#tacacs-server host 192.168.0.12
RTA(config)#tacacs-server key topsecret
RTA(config)#aaa new-model
RTA(config)#aaa authentication login default group tacacs+
If I want to add to the configuration above ,the command below :
RTA(config)#aaa accounting connection defult stop-start tacacs+
Is it necessary for the above lines to be in a specific order when I configure RTA ?The first tacacs server listed will the first tacacs server queried. I would make may primary ACS the first listed. Everything else looks good.
-
Cisco Nexus to use Radius AAA authentication using Microsoft 2008 NPS
I have a Nexus 7010 running
Just wondering if you can help me with something. I'm having an issue with command authorization thru our aaa config. We don't have a problem authenticating its command authorization that is not working. From what I have seen and read Nexus NX-OS 6.x does not have any commands for aaa authorization unless you are configuring TACACS+. My basic config is below if you can help it would be much appreciated.
>>ip radius source-interface mgmt 0
>>radius-server key XXXXX
>>radius-server host X.X.X.X key XXXXX authentication accounting
>>radius-server host X.X.X.X key XXXXX authentication accounting aaa
>>authentication login default group Radius_Group aaa authentication
>>login console local aaa group server radius Radius_Group
>> server X.X.X.X
>> server X.X.X.X
>> source-interface mgmt0
Also does anyone know how to configure Microsoft 2008 NPS as a Raduis server to work with Nexus? I have read a few post that suggest changing the
shell:roles="vdc-admin" in the Attribute Value field in the RADIUS server
Does anyone know if this works????
ThanksI have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
Attribute: cisco-av-pair
Requirement: Mandatory
Value: shell:roles*"network-admin vdc-admin"
For more information take a look at this link:
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
Hope this helps
Thank you for rating helpful posts! -
AAA authentication / Radius-Servers
Hello cisco folks,
Have a technical question I would like to ask. I'm able to setup my 3750e switch to login through a radius server with my company user id and password but would like to be able to set it up that when I log in it drops me on the enable prompt. Right now I have to type >en.
Then the enable password. Thanks in advance.
PaulHi Bro
Yes, this can be achieved in Cisco IOS devices but not in Cisco ASA. In Cisco ASA, you still have to type the "enable" command.
Just ensure you've the configuration shown below, and all should be good;
enable password cisco
aaa new-model
aaa authentication login VTY group radius local
aaa authentication login CONSOLE local
aaa authentication enable default group radius enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec VTY group radius local
username ram privilege 15 password 0 cisco
username cisco privilege 7 password 0 cisco
interface FastEthernet0/0
ip address 10.0.0.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip radius source-interface FastEthernet0/0
radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key cisco
privilege interface level 7 shutdown
privilege interface level 7 ip address
privilege interface level 7 ip
privilege interface level 7 no shutdown
privilege interface level 7 no ip address
privilege interface level 7 no ip
privilege interface level 7 no
privilege configure level 7 interface
privilege configure level 7 shutdown
privilege configure level 7 ip
privilege configure level 7 no interface
privilege configure level 7 no shutdown
privilege configure level 7 no ip
privilege configure level 0 no
privilege exec level 7 configure terminal
privilege exec level 7 configure
privilege exec level 7 undebug ip rip
privilege exec level 7 undebug ip
privilege exec level 7 undebug all
privilege exec level 7 undebug
privilege exec level 7 debug ip rip
privilege exec level 7 debug ip
privilege exec level 7 debug all
privilege exec level 7 debug
line con 0
authorization exec VTY
login authentication VTY
line aux 0
line vty 0 4
authorization exec VTY
login authentication VTY
end
Note: Ensure your user ID in your Radius server has the correct av-pair parameters shell:priv-lvl=15
P/S: if you think this comment is helpful, please do rate it nicely :-) -
Cisco Nexus AAA authentication and console access
We have nexus 7k with AAA authentication working now i have an issue i can't login using console port because my logins are rejected.Is there anyway we can login into console with local login details or we have to use ACS server (AAA) logins when connected to console (while ACS server is still reachable).
My main question is i want to login using console port while ACS server is still reachable is it possible?Perhaps I am not understanding some parts of the original post and if so I would appreciate clarification of what I missed. But it seems to me that the main question in the original post is whether the original poster would be able to login on the console. And it seems to me that the high level answer is that yes login to the console should be possible. The details of how that would work are dependent on details of how the N7K is configured. If the original poster would provide some details of the configuration (especially all of the aaa authentication commands and the configuration of line con 0) we would be in a much better position to provide helpful answers.
HTH
Rick -
Aaa authentication enable console (server_name) password issue
Here is the problem I am experiencing and I hope someone out there is able to help;
I have a ASA5510 (running software Version 8.0(3)). I have enabled remote authentication to our company's TACAC server (which is running TACAC open source supplied by Cisco).
The problem is as follows;
I can telnet to the appliance remote and using my username and password (configured on the TACAC server) I am authenticated. But after entering enable - I am prompted with the password prompt. But I can not get pass this prompt. I have tried the same password as I previous enter at the telnet prompt and failed, the local enable password fails as well. Any suggestion.
aaa-server (server_name) protocol tacacs+
aaa-server (server_name) (interlinkport) host (Address)
key (password)
aaa authentication enable console (server_name) LOCAL
aaa authentication enable console (server_name) LOCAL
aaa authentication http console (server_name) LOCAL
aaa authentication serial console (server_name) LOCAL
aaa authentication ssh console (server_name) LOCAL
aaa authentication telnet console (server_name) LOCAL
aaa accounting command privilege 15 (server_name)
aaa authorization exec authentication-serverI think I can help you here since I've been using Cisco
Freeware TACACS+ for almost 7 years now. I am not
an expert, just enough to be dangerous.
Since the code is open-source, each company uses
differently; however, there is one thing that will
always true. That would be the the enable.c file,
which is a C program. You would need to modify
this file so that EVERYONE can have his/her own
enable password, just like Cisco ACS running on
Windows platforms.
the configuration file would look something like this:
accounting file = /var/log/tac_plus.log
key = zFgGkIooIsZ.Q
user = cciesec {
member = admin
name = "ccie security"
login = cleartext "cciesec"
user = $cciesec$ {
member = admin
name = "ccie security"
login = cleartext "cciesec1"
group = admin {
default service = permit
On the Pix:
aaa-server NEO protocol tacacs+
aaa-server NEO (outside) host 192.168.15.10
timeout 5
key cciesec
aaa authentication ssh console NEO LOCAL
aaa authentication enable console NEO LOCAL
Here is the login sequence:
[root@dca2-LinuxES root]# ssh -l cciesec 192.168.0.25
The authenticity of host '192.168.0.25 (192.168.0.25)' can't be established.
RSA key fingerprint is c2:48:15:85:92:7f:56:15:a8:0f:80:d9:88:50:fd:1c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.25' (RSA) to the list of known hosts.
[email protected]'s password:
Type help or '?' for a list of available commands.
CiscoPix> en
Password: ********
CiscoPix#
In other words, my initial password is "cciesec" and my enable password
is "cciesec1". Another user "tom" will have his own login and enable
password.
Simple enough? -
I'm trying to set up authentication using a PIX 525 for some of our web servers. In preparation, I'm testing it on a PIX 515. For testing purposes, I'm not using a RADIUS or TACACS server.
I've implemented the following commands:
aaa-server LOCAL protocol local
access-list authlist permit tcp any any eq www
aaa authentication match authlist outside LOCAL
When these commands are used, authentication works as advertised. When I change the access-list to:
access-list authlist permit tcp any host 192.168.1.2 eq www
where 192.168.1.2 is a webserver, authentication does not occur. (We want to require authentication for some web servers but not others.) I've tried variations of the commmand but none has worked. The PIX just passes all traffic.
Any ideas?
NoahHi,
Solution lies in, from where you are trying to access the server? and where you have applied the authentication to occur?
192.168.1.2 definitely doesn't appears to be a global ip (if you are not working in a test scenario)
outside in the authentication statement means that we want authentication to happen for all the traffic coming in on Outside interface to authenticate.
Little topology detail will help.
Regards,
Prem -
Aaa authentication enable console issue
I have an ASA5505 running 8.2(5). It is configured with
aaa authentication telnet console xxxxxx LOCAL
and I am able to use my username and password to telnet in, but I then have to use the local enable password to get to privilege exec mode.
I tried configuring aaa authentication enable console xxxxxx LOCAL so that when I try to access privilege exec mode,I would be prompted for my password instead of the enable password, but it doesn't work.
I also tried removing the aaa authentication telnet console xxxxxx LOCAL and telenetted in with the local passwd.
I was prompted for a username and password when trying to get to priv exec mode, but again, the credentials did not work.
Could there be something that needs to be changed on the ACS server to make this work?
Thanks.Using TACACS+
No command authorization rules are being used
When I add the aaa authentication enable console xxxxxxxx LOCAL command,
and use login instead of enable, I get Login failed if I try to use my credentials.
However, if I use login with the locally configured username and password, it lets me in.
Here is the config (without the aaa authentication enable console command):
User Access Verification
Username: xxx/xxxxxxxxxx
Password: ************
Type help or '?' for a list of available commands.
FW> en
Password: ********
FW# sh ru
: Saved
ASA Version 8.2(5)
terminal width 511
hostname xxxxxxxx
enable password *********** encrypted
passwd *********** encrypted
names
interface Ethernet0/0
switchport access vlan xxx
interface Ethernet0/1
switchport access vlan xxx
shutdown
interface Ethernet0/2
switchport access vlan xxx
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlanxxx
nameif inside
security-level 100
ip address x.x.x.x x.x.x.x
interface Vlanxxx
nameif OUtside
security-level 0
ip address x.x.x.x x.x.x.x
ftp mode passive
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
group-object TCPUDP
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object udp
protocol-object tcp
group-object TCPUDP
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object udp
protocol-object tcp
access-list Outside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 a
ny any inactive
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 a
ny any
access-list OUtside_access_in extended permit object-group DM_INLINE_PROTOCOL_1
any any inactive
access-list OUtside_access_in extended permit icmp any any
access-list OUtside_access_in extended permit object-group DM_INLINE_PROTOCOL_3
any any
pager lines 24
logging enable
logging asdm informational
logging host inside x.x.x.x
mtu inside 1500
mtu OUtside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group inside_access_in in interface inside
access-group OUtside_access_in in interface OUtside
route inside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server xxxxxxxxx protocol tacacs+
aaa-server xxxxxxxxx (inside) host x.x.x.x
key *****
aaa-server xxxxxxxxx (inside) host x.x.x.x
key *****
aaa-server xxxxxxxxx (inside) host x.x.x.x
key *****
aaa authentication http console ******* LOCAL
aaa authentication ssh console ******* LOCAL
aaa authentication telnet console ******* LOCAL
aaa local authentication attempts max-fail 5
http server enable
http x.x.x.x x.x.x.x inside
http x.x.x.x x.x.x.x inside
snmp-server host inside x.x.x.x community ***** version 2c
snmp-server host OUtside x.x.x.x community ***** version 2c
snmp-server host inside x.x.x.x community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet x.x.x.x x.x.x.x inside
telnet x.x.x.x x.x.x.x inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config OUtside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username ******* password ************** encrypted privilege 15
username ******* password ************** encrypted privilege 15
username ******* password ************** encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:
: end
FW#
Thanks. -
ACE 4700 and Cisco ACS aaa authentication
ACE version Software
loader: Version 0.95
system: Version A1(7b) [build 3.0(0)A1(7b)
Cisco ACS version 4.0.1
I am trying to authenticate admin users with AAA authentication for ACE management.
This is what I've done:
ACE-lab/Admin(config)# tacacs-server host 192.168.3.10 key 123456 port 49
warning: numeric key will not be encrypted
ACE-lab/Admin(config)# aaa group server tacacs+ cciesec
ACE-lab/Admin(config-tacacs+)# server ?
<A.B.C.D> TACACS+ server name
ACE-lab/Admin(config-tacacs+)# server 192.168.3.10
can not find the TACACS+ server
specified TACACS+ server not found, please configure it using tacacs-server host ... and then retry
ACE-lab/Admin(config-tacacs+)#
Why am I getting this error? I have full
connectivity between the ACE and the ACS
server. Furthermore, the ACS server
works fine with other Cisco IOS devices.
Please help. Thanks.Thanks. Now I have another problem. I CAN
log into the ACE via tacacs+ account(s).
However, I get error when I try going into
configuration mode:
ACE-lab login: ngx1
Password:
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2007 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
ACE-lab/Admin# conf t
^
% invalid command detected at '^' marker.
ACE-lab/Admin#
The ngx1 account can access other Cisco
routers/switches just fine and can go into
enable mode just fine. Only issue on the ACE.
Any ideas? Thanks. -
Prime 1.4 - no aaa authentication tacacs+ server
Anybody know the equivalent command "no aaa authentication tacacs+ server" on PI 1.4. I saw this command on PI 2.2 but I can´t find something similar on 1.4.
Thanks in advanced.Check the following Command line manual for PI 1.4
http://www.cisco.com/c/en/us/td/docs/wireless/prime_infrastructure/1-4/command/reference/cli14.html
Apart from that I found this ,let me know if it helps.
Select a command
Add TACACS+ Server—See the “Add TACACS+ Server” section.
Delete TACACS+ Server—Select a server or servers to be deleted, select this command, and click Go to delete the server(s) from the database.
Add TACACS+ Server
Choose Administration > AAA > TACACS+ from the left sidebar menu to access this page. From the Select a command drop-down list choose Add TACACS+ Server , and click Go to access this page.
This page allows you to add a new TACACS+ server to Prime Infrastructure.
Server Address—IP address of the TACACS+ server being added.
Port—Controller port.
Shared Secret Format—ASCII or Hex.
Shared Secret—The shared secret that acts as a password to log in to the TACACS+ server.
Confirm Shared Secret—Reenter TACACS+ server shared secret.
Retransmit Timeout—Specify retransmission timeout value for a TACACS+ authentication request.
Retries—Number of retries allowed for authentication request. You can specify a value between 1 and 9.
Authentication Type—Two authentication protocols are provided. Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP).
Command Buttons
Submit
Cancel
Note • Enable the TACACS+ server with the AAA Mode Settings. See the “Configuring AAA Mode” section.
You can add only three servers at a time in Prime Infrastructure. -
AAA authentication not working and 'default' method list
Guys,
I hope someone can help me here in troubleshooting AAA issue. I have copied configuration and debug below. The router keeps using local username/password even though ACS servers are reachable and working. From debugs it seems it keeps using 'default' method list ignoring TACACS config. Any help will be appreciated
Config
aaa new-model
username admin privilege 15 secret 5 xxxxxxxxxx.
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization reverse-access default group tacacs+ local
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa session-id common
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
tacacs-server directed-request
tacacs-server key 7 0006140E54xxxxxxxxxx
ip tacacs source-interface Vlan200
Debugs
002344: Dec 5 01:36:03.087 ICT: AAA/BIND(00000022): Bind i/f
002345: Dec 5 01:36:03.087 ICT: AAA/AUTHEN/LOGIN (00000022): Pick method list 'default'
002346: Dec 5 01:36:11.080 ICT: AAA/AUTHEN/LOGIN (00000022): Pick method list 'default'
core01#
002347: Dec 5 01:36:59.404 ICT: AAA: parse name=tty0 idb type=-1 tty=-1
002348: Dec 5 01:36:59.404 ICT: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
002349: Dec 5 01:36:59.404 ICT: AAA/MEMORY: create_user (0x6526934) user='admin' ruser='core01' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
002350: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Port='tty0' list='' service=CMD
002351: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/CMD: tty0 (2162495688) user='admin'
002352: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV service=shell
002353: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd=configure
002354: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd-arg=terminal
002355: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd-arg=<cr>
002356: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): found list "default"
002357: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Method=tacacs+ (tacacs+)
002358: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): user=admin
002359: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV service=shell
002360: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd=configure
002361: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd-arg=terminal
002362: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd-arg=<cr>
Enter configuration commands, one per line. End with CNTL/Z.
core01(config)#
002363: Dec 5 01:37:04.261 ICT: AAA/AUTHOR (2162495688): Post authorization status = ERROR
002364: Dec 5 01:37:04.261 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Method=LOCAL
002365: Dec 5 01:37:04.261 ICT: AAA/AUTHOR (2162495688): Post authorization status = PASS_ADD
002366: Dec 5 01:37:04.261 ICT: AAA/MEMORY: free_user (0x6526934) user='admin' ruser='core01' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15
core01(config)#Are the tacacs+ servers reachable using the source vlan 200. Also in the tacacs+ server can you check if the IP address for this device is correctly configured and also please check the pwd on both the server and this device match.
As rick suggested sh tacacs would be good as well. That would show failures and successes
HTH
Kishore -
Fixed ip for vpn user- aaa authenticated
Hi all,
i am using asa 5520 as my vpn box. All vpn users login to vpn box associated with a aaa server. The authenticaltion takes place on aaa server. If i use local database for user login, i can assign fixed static ip to the user via its vpn properties. But now i am using aaa for authentication and i want to assign fixed statix IP for some users. How can i do this?with local aaa authentication
go to the user atributes
like username vpnuser attributes
vpn-framed-ip-address 192.168.50.1 255.255.255.255
this will give that ip to that user
if u are useing cisco ACS
under the user setting
go to :
Assign static IP address-If a specific IP address should be used for this user, click this option and type the IP address in the text box. The IP address assignment in User Setup overrides the IP address assignment in Group Setup
and the following link give step-by step intstruction to configure cisco ACS AAA
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008007e6a6.html
good luck
please, if helpful Rate -
LMS 3.2 - Problem with inventory of switches using AAA authentication
Hi all,
we want to migrate our network equpiment from local authentication (telnet password, enable password) to AAA authentication (Cisco ACS server - username, password for priv level 15). The network devices are managed with CiscoWorks 3.2 and inventory works fine when device login credentials are telnet password, enable password.
I have configured a switch for testing the authentication to the ACS server, and tested the logon manually. After the successful test I reconfigured the device credentials in CiscoWorks and checked it by a device export with credentials. The credentials in CW were OK, but from this time CiscoWorks could't pull an inventory of the switch any more. Every inventory job failed.
Any help would be appreciated. Thanks a lot.
Regards
fredJoe,
excuse me, I've made a mistake. It's the malfunction of the configuration *archiving* which depends on telnet services. I have included the trace file of the failed CW archiving job. I can see that CW receives the banner and the username prompt, but doesn't send back any telnet credentials. I have also checked the correctness of the device credentials by a DCR export.
fred
Maybe you are looking for
-
IPod classic no longer being recognized by iTunes
iPod classic version 2.0.4 is not showing up in my iTunes anymore. I can see it listed in my device manager under Other Devices as iPod with a yellow exclamation point, although I've followed the instructions in this article iOS: Device not recognize
-
Sharing iphoto library on the same computer between different users
Can anyone tell me how (without having to write my own code) I can share photos easily (so I can teach my parents, who know nothing about mac, how to do it) between different users on the SAME COMPUTER? I am so frustrated! You can share with anyone e
-
Pdf report doesn`t show cyrillic letters
Hi everyone. For generate report I begin to use Exaprom PDF https://decibel.ni.com/content/docs/DOC-10952 . But there are I find a bug. I try to insert russian letters to the pdf as text, there is no error. But when I open pdf documents, there is not
-
A bug in calendar?!
Do you realize that the function "calendar" in iPad with ios6 has a bug? When you try to open the month of March 2013 the app suddenly shut down....how can we inform the Apple support about that?
-
9.1 More strange intermitten freezes! Spooky stuff.
A strange thing happened recently on my G4 OS 9.1. Intermitten freezes. I can't leave the computer idle for more than 5 minutes or it freezes. As long as I'm working it, it's fine. But if I stop-no matter what software I'm using-it freezes. I've been