ISG issue on AAA prepaid authorization

Hello,
I'm currently working on a FTTH project and I configured a 7204VXR (NPE-G1) along with a 12.2(31)SB2 version of IOS, in order to use Cisco ISG functionnalities. My cisco config file is in attachment.
We have the following architecture:

Similar Messages

An issue with authentication and authorization on ISE 1.2

Hi, I'm new to ISE.
I have an issue with authentication and authorization.
I have ISE 1.2 plus patch 6 installed on VMware.
I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
I created authentication and authorization rules with Active Directory as External Identity Source. Also I applied authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
What should I do to resolve this issue?
Switch configuration:
testISE#sh runn
Building configuration...
Current configuration : 7103 bytes
! Last configuration change at 12:20:15Tue Apr 15 2014
! NVRAM config last updated at 10:35:02 Tue Apr 15 2014
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname testISE
boot-start-marker
boot-end-marker
no logging console
logging monitor informational
enable secret 5 ************
enable password ********
username radius-test password 0 ********
username admin privilege 15 secret 5 ******************
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
client 172.16.0.90 server-key ********
aaa session-id common
clock timezone 4 0
system mtu routing 1500
authentication mac-move permit
ip dhcp snooping vlan 1,22
ip dhcp snooping
ip domain-name elauloks
ip device tracking probe use-svi
ip device tracking
epm logging
crypto pki trustpoint TP-self-signed-1888913408
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1888913408
revocation-check none
rsakeypair TP-self-signed-1888913408
crypto pki certificate chain TP-self-signed-1888913408
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
ip ssh version 2
interface FastEthernet0/5
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface FastEthernet0/6
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 1
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface FastEthernet0/7
interface Vlan1
ip address 172.16.0.204 255.255.240.0
no ip route-cache
ip default-gateway 172.16.0.1
ip http server
ip http secure-server
ip access-list extended ACL-ALLOW
deny icmp any host 172.16.0.1
permit ip any any
ip radius source-interface Vlan1
logging origin-id ip
logging source-interface Vlan1
logging host 172.16.0.90 transport udp port 20514
snmp-server community public RO
snmp-server community ciscoro RO
snmp-server trap-source Vlan1
snmp-server source-interface informs Vlan1
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host 172.16.0.90 ciscoro
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
radius server ISE-Alex
address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
automate-tester username radius-test idle-time 15
key ******
ntp server 172.16.0.1
ntp server 172.16.0.5
end

Yes. Tried that (several times) didn't work. 5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts. Kept getting error message that username and password invalid. Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick. Think there is an issue with imap.gmail.com and IOS 6.0.1. I'm sure the 5 of us suddently experiencing this issue aren't the only ones. Apple will figure it out. Thanks.

AAA command authorization in ACE

How do we enable AAA command authorization in the ACE module on 6500 switch.i dont find any aaa authorization commands in it .
Kind regards
Ullas

Hi,
See the ACE Security Guide - Chapter 2. You need to set a CiscoAVPair. How you do this will depend on the RADIUS software that you are using. It sounds like you're being put into Network-Monitor role by default. Quote from the manual:
"The user profile attribute serves an important configuration function for a RADIUS server group. If the user profile attribute is not obtained from the server during authentication, or if the profile is obtained from the server but the context name(s) in the profile do not match the context in which the user is trying to log in, a default role (Network-Monitor) and a default domain (default-domain) are assigned to the user if the authentication is successful."
There are postings in this and other Cisco fora about exactly how to set these values (which depends on your RADIUS server implementation).
HTH
Cathy

AAA commad authorization

Dudes
We had problem in replicatiing database to secondary ACS (4.2) server, Somehow I've managed to fix the issue by changing firewall inspection and shared secret.Now I've got new issue with "command authorization failed" after successfull authentication, This happends only when we bring secondary server service up, Not all the AAA clients having issues but for some for strange reason. Has anyone come across these sort of issue, Pls let me know what shall I do to fix this issue that I can not keep secondary server down for long time.
Thanks in advance
Rajesh

SCCP (skinny) inspection will break ACS 4.x/3.x database replication since both SCCP and replication use TCP/2000.
What reason does ACS give to reject the authorization requests?

AAA Local Authorization....

Hello all. Hopefully, this will prove to be an easy question with a simple answer!
I want to configure local username/passwords on my router, with different privilege levels. For example username admin is only allowed to access privilege level 1 commands, and username engineer is allowed to enter all comands (level 15). However, when I test this via console or telnet, both go into user mode to start with (Router>) and I can enter enable mode on both username logins by entering the enable password (Router#). Therefore, both username's have the same access rights (to all commands) even though they have different privilege levels. I thought the privilege level 1 account would not be allowed to issue level15 commands?
Can anyone point me in the right direction.....
aaa new-model
aaa authentication login default local
aaa authorization commands 1 default local
aaa authorization commands 15 default local
enable secret test
username admin privilege 1 password cisco1
username engineer privilege 15 password cisco2
Thanks.

Just typing enable defaults to enable 15
Careful look at the following commands should answer your question
Router6>enable ?
<0-15> Enable level
Router6(config)#enable password ?
0 Specifies an UNENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) 'enable' password
level Set exec level password
Router6(config)#enable password le
Router6(config)#enable password level ?
<1-15> Level number
Victor

Cisco ISG Integration with AAA & Policy Server

Hi,
We are integrating Cisco ISG (IOS XE - ASR1001) with AAA and Policy Server.   we have below to specific service provider requirement.
1. TAL - Transparent Automatic Subsriber for Range of IP or Pool of IP - how we add such identifier in Policy/Control Maps as attibute handshake with AAA
2. Different QoS Enforcement to Single User based on Day and Night Time.. what logic should be used??
Note: The Subscribers are from wired network and DHCP controlled.
Please help, Thanx in advance...
Bhavesh

Dear Bhavesh,
     Try with this it is working & tested policy for TAL & ISG ASR 1001.
QoS will be work with Radius request & will apply on online user with diffrent plan.
class-map type traffic match-any PPPOE
match access-group output name PPPOE-out
match access-group input name PPPOE-in
class-map type control match-any TAL
match source-ip-address 30.30.30.0 255.255.255.0
class-map type control match-all IP_UNAUTH_COND
match timer IP_UNAUTH_TIMER
match authen-status unauthenticated
class-map type control match-all PPPOE-CON
match media ether
match authen-status unauthenticated
match protocol ppp
policy-map type control PPPOE-USR
class type control always event timed-policy-expiry
10 service disconnect
class type control always event account-logoff
10 service disconnect delay 2
class type control always event quota-depleted
10 set-param drop-traffic TRUE
class type control always event session-start
10 authenticate aaa list PPP-USR
class type control always event service-start
20 service-policy type service identifier service-name
class type control always event service-stop
1 service-policy type service unapply identifier service-name
policy-map type control TAL_IP_POLICY_RULE
class type control IP_UNAUTH_COND event timed-policy-expiry
10 service disconnect
class type control TAL event account-logoff
10 service disconnect delay 5
class type control TAL event session-start
30 authorize aaa list AAA-STATIC password cisco identifier source-ip-address
50 set-timer IP_UNAUTH_TIMER 5
class type control TAL event session-restart
30 authorize aaa list AAA-STATIC password cisco identifier source-ip-address
50 set-timer IP_UNAUTH_TIMER 5
class type control TAL event quota-depleted
10 set-param drop-traffic TRUE
class type control TAL event service-start
10 service-policy type service identifier service-name
bba-group pppoe global
virtual-template 1
interface GigabitEthernet0/0/0
ip address 10.10.10.2 255.255.255.0
no ip proxy-arp
negotiation auto
interface GigabitEthernet0/0/1
ip address 30.30.30.1 255.255.255.0
negotiation auto
pppoe enable group global
service-policy type control TAL_IP_POLICY_RULE
ip subscriber routed
initiator unclassified ip-address
interface GigabitEthernet0/0/2
ip address 172.16.1.1 255.255.255.0
negotiation auto
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
interface GigabitEthernet0/2/0
no ip address
shutdown
negotiation auto
interface GigabitEthernet0/2/1
no ip address
shutdown
negotiation auto
interface GigabitEthernet0/2/2
no ip address
shutdown
negotiation auto
interface GigabitEthernet0/2/3
no ip address
shutdown
negotiation auto
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
interface Virtual-Template1
ip dhcp relay information trusted
ip unnumbered GigabitEthernet0/0/1
ip helper-address 10.10.10.1
timeout absolute 43200 0
peer default ip address dhcp
ppp mtu adaptive
ppp authentication pap
ppp authorization PPP-USR
service-policy type control PPPOE-USR
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.16.1.2
ip access-list extended DROP-in
deny   ip any any
ip access-list extended DROP-out
deny   ip any any
ip access-list extended PPPOE-in
permit ip any any
ip access-list extended PPPOE-out
permit ip any any
vishal lumbhani

SAP BI 7.0 Transport issue with HR Structural Authorization DSO

Hi,
I am trying to transport HR Structural Authorization DSO Objects in BI 7.0 from Dev to QA system. The Data sources are 0PA_DS02 and 0PA_DS03. ( I am sure that there are lots of changes in Authrorization concept in BI 7.0),.
1. Please suggest me if I need to make any changes and tests before moving these authorization objects to QA system.
2. Also, do I need to take any pre-cautions while activating business content objects 0TCTAUTH and 0TCTAUTH_T (Datasources look like are from 3.x) as I am getting issue with the activation of the transfer structure for these objects?
Thanks a lot for your valuable inputs.
Regards
Paramesh
Edited by: paramesh kumar on May 5, 2009 12:45 AM

Hi Paramesh.
You can use the DSOs 0PA_DS02 and 0PA_DS03 in BI7.0 as well. You just need to use the new generation of analysis authorizations in transaction RSECADMIN.
You can use 0TCTAUTH and 0TCTAUTH_T in BI7.0, however we have experienced som problems with the 0TCTAUTH_T extractor, which dumped because of a poorly designed SELECT statement that was unable to cope with 10000 records. We have replaced it with a generic data source that uses table RSECTEXT directly.
Regards,
Lars

Sender SOAP Adapter issue with webservices for authorization.

Hi All
Issue:
As we are developing a Web Service to fetch account balance from SAP(upon receiving the account no from client) and have given the wsdl file to J2EE application to call or make use of the service. But as a part of that service they expect userid/password to be entered manually from client pop-up. At this point of time, we don't want to enter userid/password manually but we want this to be hardcoded/embedded in Webservice so that there is no need of manual intervention upon calling this service.
Actual Requirement:
From Webservices to R/3-ECC6.0-IS-Banking-RFC (Synchronous Interface)
Sender: SOAP Adapter synchronous
Receiver: RFC Adapter synchronous
Note: Requesting a account number and getting response from RFC is account Balance and Date to webservice
Regards
Kiran kumar.s

Hi praveen,
Thanks for ur reply.What you said is exactly right but for time being i have to make the client not get the authorization(password--Username and password(pop-up)) when he invokes the WSDL into webservice for that u told that to write some hardcode in J2EE application,but i don't know that where to write and what to write.so, if possible can u give me the code and procedure.
This is the URL:
http://hcl3sap:50000/XISOAPAdapter/MessageServlet?channel=:BS_WEBSERVICE:CC_SOAPSENDER
Regards,
kiran kumar.

Goods issue against STO (plant authorization)

Dear All
I have an authorization issue when doing goods issue from Plant 1, against an STO raised for Plant 2.
User has MIGO authorization for 351mvt with authorization object M_MSEG_BWA;
Also he has authorization for all storage locations of Plant 1 and 351mvt with object M_MSEG_LGO; And plant authorization of migo is given for Plant 1 with authorization object M_MSEG_WWA
To issue goods from plant 1 to Plant 2 against the STO raised at Plant 2, what authorization does he require? At the same time he should not able to do GR for POs of plant 2 etc.
Thanks in advance

Hi
I was also in same impression but the SU53 screenshot is showing authorization problem with object M_MSEG_WWA for Plant 2.
User has been given the same for plant 1 (own plant)

Issue with Planning sequence authorization in WAD

Hi,
There is a planning sequence which I can execute through Modeler without any issue. However I am not able to execute the same from WAD. It says 'You are not authorized to execute planning sequence....'
Please advise.
Regards,
SSC

hI,
You need to create one role in which add planning related authorization object ie
S_RS_PLSE     Planning Function
S_RS_PLSQ     Planning Sequence
S_RS_PLST     Planning Service Type
S_RS_PPM     Authorization Object for BI Planning Process Management etc....
and attach to your id.
I think you do not have authorization for S_RS_PLSQ.
try this.
Regards,
Ganesh

Issue with context specific authorization object P_ORGINCON.

Hello Experts,
The context specific authorization object doesn't evaluate the
structural profile it is assigned to when more than one structural
authorization is assigned to a user.
Please read the below scenario for issue description as follows:
User ZHR_ACT13 is assigned two roles namely ZHR_HRD and ZHR_DEPT_HEAD.
He is the manager for employee ID 167 and is not the manager of employee ID 17.
Role ZHR_HRD has no read/write authorization for Infotype 6. ZHR_HRD is also assigned to structural authorization ALL which is meant for viewing all the objects with no restriction of any relationship.
Role ZHR_DEPT_HEAD has read authorization for infotypes 6 for only the subordinates i.e. the structural authorization ZDEPT_HEAD of viewing only the subordinates data is assigned to this role. Also this structural authorization ZDEPT_HEAD is assigned to infotype 6 using
authorization object P_ORGINCON.
But now the manager ZHR_ACT13 is able to read infotype 6 data for employee ID 17 who is not his subordinate even though only structural authorization ZDEPT_HEAD is assigned to infotype 6 using P_ORGINCON. We
expect that user ZHR_ACT13 must be able to read infotype 6 data only for employee ID 167 and not for employee ID 17.
Please kindly help resolve this issue.
Thanks & Regards,
Roshan.

This has been resolved.

Having issues with AAA TACACS ACS

We are trying to get our WAVE's to utilize the ACS for TACACS authentication and are having issues.
We have followed the suggestions of many posts in the forum and also the guides, but are still not able to get it working. The group has been created on the Central manager and under the group for the ACS the following has been added:
shell:waas_rbac_groups*CoreWAAS
We have other items in there for authentication for ACE contexts as well as Nexus equipment. We used the same type of scheme. When a user attempts to authenticate and purposely types an incorrect pwd we get back a response the creds are not valid (which they aren't). If the user types in the correct creds we get a passed authentication entry in the ACS, yet we get no response back from the session it immediately disconnects. We have enable the Command authorization of 15 on the WAVE group but this has not had any changes.
Please advise,
Joe

Ok, cool,
So this usually means that the switch is sourcing the requests from a difernet interface that is configured on the ACS.
I would guess that the ACS is reporting unknown NAS...
Can you please use the "ip tacacs source-interface" command to make sure the switch will source the Tacacs+ packets from the interface with the IP address for which you have the ACS configured to?
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

ASDM (ASA9.1) won't fully initiated when configured AAA command authorization

ASA doesn't have any local account, all authentications is done via AAA.
On AAA, we have two "groups" both assigned to privilege_15, one group (A) can issue all commands, another group (B) only can issue command sets we defined.
Group A can login to ASDM without any problems.
Group B can pass the login pop up, then start to load ASDM window, at the bottom it does show login user has privilede 15, then it's stopped at "parsing running configuration..." asd login screen pops up again, and I cannot pass it.
I suspect it's somewhere in permisssion, can someone help? thanks.
Leo Song

Hello,
There are some commands that are required in order to load the ASDM
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command blocks
Make sure you have them
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com

AAA command authorization ASA

I have aaa authentication working on my ASA with no problem. I have command authorization working for my account on all my IOS devices with TACACS+ and a Cisco ACS. I can not get command authorization to work on the ASA. Every time I enter the 'aaa authorization command CSACS-TACACS+' the system will not let me do anything else and gives me a user not authroized and the ACS shows no log of this request. I then have to reboot the ASA to get back in.
Current commands
aaa authentication ssh console CSACS-TACACS+
aaa authentication http console CSACS-TACACS+
Entered commands
aaa authentication enable console CSACS-TACACS+
aaa authorization command CSACS-TACACS+

Douglas,
Try the following configuration:
aaa authentication ssh console CSACS-TACACS+
aaa authentication http console CSACS-TACACS+
aaa authentication enable console CSACS-TACACS+
With the previous settings the ASA should be authenticating your username/password and the enable password against the ACS server, if this part works fine then authorization should also be working fine.
Remember to keep another session open in privilege mode before testing "
aaa authentication enable console CSACS-TACACS+" command. In the ACS server you should be seeing at least the authentication passed report.

Tutorial: Issue Tracker, Problem with Authorization

Hi All,
I just worked through the Issue Trackin System Tutorial, everything looks great except the Authorization. I did the Tutorial on our local Instance of HTMLDB so I had to modify the Authorization Schemes a little. People should login using their internal HTMLDB-Account, which uses an extra loginname, not the email adress. So i added a column PERSON_LOGIN to the ht_people table which holds the userID. My Authorizationscheme looks like this:
select '1' from ht_people where
(upper(PERSON_LOGIN) = upper(:APP_USER) and
PERSON_ROLE in ('Lead','Member') and
ASSIGNED_PROJECT = :P7_RELATED_PROJECT)
or (:APP_USER = 'HOWTO')
or (:P7_ISSUE_ID is null)
This Scheme simply does not work, the user does not get the authorization to edit the issues assigned to him. I canÂ´t see the problem, if I do this query I get the expected column back. If I log in to the Application and try to edit the issues, I donÂ´t get the neccesary authorization. Any Ides ?

From Scott -
I installed that demo app on our hosted site. I don't see anything structurally wrong with page 0 breadcrumbs. When you edit page 0, do you see the correct menu region, or is there a big number where its name should be? If you find something that you cannot repair, please let us know.
As for the authorization schemes, I see what's going on. The scheme controls the display of buttons and a region on page 7 and is evaluated during the rendering of the region and the buttons. These events take place before the item P7_RELATED_PROJECT is rendered, thus before its session state is established or altered during that page view. However the implementation of the authorization scheme references the current session state of that item. That won't work. Using standard conditions (vs. authorization schemes) to control the buttons/regions that are earlier on the page than the referenced item would have the same problem if they used the same logic. For situations like this, LOVs that submit the page and result in a branch back to the same page can be very useful, or splitting the page into multiple pages, as in wizard implementations, can also work.
From Sharon -
I want to thank you for pointing out this bug. This is our first tutorial document and a lot of time was spent making sure that users could follow the directions and learn how to create all the objects that make up an application. Obviously, not enough time was spent testing the resultant application. The statement below should work for the Authorization Scheme in question.
select '1'
from ht_people
where (person_email = :APP_USER and
person_role in ('Lead','Member') and
assigned_project = (select related_project
from ht_issues
where issue_id = :P7_ISSUE_ID))
or (:APP_USER = 'HOWTO')
or (:P7_ISSUE_ID is null)
You will notice that is allows the modification of the issue by either the Lead or any Member of the project, not just the one assigned. When I update the document and repost on OTN, I will make a note of that.
This checks that the current value of related project is the project that the Member or Lead is assigned to. It is true that while viewing the page, the user can change the related project. Once the change is applied, they would no longer be able to edit that issue.

ISG issue on AAA prepaid authorization

Similar Messages

Maybe you are looking for