PIX- AAA Authentication Exclude.

Similar Messages

• PIX 525 aaa authentication with both tacacs and local

  Hi,
  I have configured the aaa authentication for the PIX with tacacs protocol (ACS Server).
  It works fine, now i would like to add the back up authentication, as follows:
  - If the ACS goes down i can to be authenticated with the local database.
  Is it possible with PIX, if yes how?

  Hi,
  I am trying to configure aaa using TACACS+ , i am not able to close.Problems are
  1.It dosent ask for username /password in first level.
  2.on second level it asks for user name it dosent authenticate the user .
  Cud u pls let me know if the following config is correct.If not cud u help me .
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ (outside) host ip.ip.ip.ip key timeout 15
  aaa-server RADIUS protocol radius
  aaa-server LOCAL protocol local
  aaa authentication include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+
  aaa authentication include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+
  aaa authen enable console TACACS+

• Aaa authentication enable console (server_name) password issue

  Here is the problem I am experiencing and I hope someone out there is able to help;
  I have a ASA5510 (running software Version 8.0(3)). I have enabled remote authentication to our company's TACAC server (which is running TACAC open source supplied by Cisco).
  The problem is as follows;
  I can telnet to the appliance remote and using my username and password (configured on the TACAC server) I am authenticated. But after entering enable - I am prompted with the password prompt. But I can not get pass this prompt. I have tried the same password as I previous enter at the telnet prompt and failed, the local enable password fails as well. Any suggestion.
  aaa-server (server_name) protocol tacacs+
  aaa-server (server_name) (interlinkport) host (Address)
  key (password)
  aaa authentication enable console (server_name) LOCAL
  aaa authentication enable console (server_name) LOCAL
  aaa authentication http console (server_name) LOCAL
  aaa authentication serial console (server_name) LOCAL
  aaa authentication ssh console (server_name) LOCAL
  aaa authentication telnet console (server_name) LOCAL
  aaa accounting command privilege 15 (server_name)
  aaa authorization exec authentication-server

  I think I can help you here since I've been using Cisco
  Freeware TACACS+ for almost 7 years now. I am not
  an expert, just enough to be dangerous.
  Since the code is open-source, each company uses
  differently; however, there is one thing that will
  always true. That would be the the enable.c file,
  which is a C program. You would need to modify
  this file so that EVERYONE can have his/her own
  enable password, just like Cisco ACS running on
  Windows platforms.
  the configuration file would look something like this:
  accounting file = /var/log/tac_plus.log
  key = zFgGkIooIsZ.Q
  user = cciesec {
  member = admin
  name = "ccie security"
  login = cleartext "cciesec"
  user = $cciesec$ {
  member = admin
  name = "ccie security"
  login = cleartext "cciesec1"
  group = admin {
  default service = permit
  On the Pix:
  aaa-server NEO protocol tacacs+
  aaa-server NEO (outside) host 192.168.15.10
  timeout 5
  key cciesec
  aaa authentication ssh console NEO LOCAL
  aaa authentication enable console NEO LOCAL
  Here is the login sequence:
  [root@dca2-LinuxES root]# ssh -l cciesec 192.168.0.25
  The authenticity of host '192.168.0.25 (192.168.0.25)' can't be established.
  RSA key fingerprint is c2:48:15:85:92:7f:56:15:a8:0f:80:d9:88:50:fd:1c.
  Are you sure you want to continue connecting (yes/no)? yes
  Warning: Permanently added '192.168.0.25' (RSA) to the list of known hosts.
  [email protected]'s password:
  Type help or '?' for a list of available commands.
  CiscoPix> en
  Password: ********
  CiscoPix#
  In other words, my initial password is "cciesec" and my enable password
  is "cciesec1". Another user "tom" will have his own login and enable
  password.
  Simple enough?

• Aaa authentication

  I'm trying to set up authentication using a PIX 525 for some of our web servers. In preparation, I'm testing it on a PIX 515. For testing purposes, I'm not using a RADIUS or TACACS server.
  I've implemented the following commands:
  aaa-server LOCAL protocol local
  access-list authlist permit tcp any any eq www
  aaa authentication match authlist outside LOCAL
  When these commands are used, authentication works as advertised. When I change the access-list to:
  access-list authlist permit tcp any host 192.168.1.2 eq www
  where 192.168.1.2 is a webserver, authentication does not occur. (We want to require authentication for some web servers but not others.) I've tried variations of the commmand but none has worked. The PIX just passes all traffic.
  Any ideas?
  Noah

  Hi,
  Solution lies in, from where you are trying to access the server? and where you have applied the authentication to occur?
  192.168.1.2 definitely doesn't appears to be a global ip (if you are not working in a test scenario)
  outside in the authentication statement means that we want authentication to happen for all the traffic coming in on Outside interface to authenticate.
  Little topology detail will help.
  Regards,
  Prem

• PIX AAA To tacacs server not reliable

  I've got a couple of different platforms of PIX, 535s and FWSMs mainly all running the latest code. I have them all configured similarly with regards to AAA via tacacs:
  aaa-server TACACS protocol tacacs+
  aaa-server TACACS host <Removed> key <removed>
  username <removed> password <removed> encrypted privilege 15
  aaa authentication enable console TACACS LOCAL
  aaa authentication ssh console TACACS LOCAL
  aaa authentication telnet console TACACS LOCAL
  aaa accounting command TACACS
  Now, sometimes I can get in with my tacacs account but other times I have to use the local backup account. There seems to be no reason behind it. My routers all pointing to the same TACACS server have no issues like this. The PIX's however are totally unreliable in this regard.
  Anyone experiencing this?

  Hello mlipsey,
  This shouldn't be. Do the ACS logs reveal anything? What about
  debug tacacs
  debug aaa authentication
  Can you send 1000 pings to the tacacs server from your FWs without issue? Any packet loss?
  Hope this helps! If so, please rate.
  Thanks!

• Cisco Nexus to use Radius AAA authentication using Microsoft 2008 NPS

  I have a Nexus 7010 running
  Just wondering if you can help me with something. I'm having an issue with command authorization thru our aaa config. We don't have a problem authenticating its command authorization that is not working. From what I have seen and read Nexus NX-OS 6.x does not have any commands for aaa authorization unless you are configuring TACACS+. My basic config is below if you can help it would be much appreciated.
  >>ip radius source-interface mgmt 0
  >>radius-server key XXXXX
  >>radius-server host X.X.X.X key XXXXX authentication accounting
  >>radius-server host X.X.X.X key XXXXX authentication accounting aaa
  >>authentication login default group Radius_Group aaa authentication
  >>login console local aaa group server radius Radius_Group
  >>    server X.X.X.X
  >>    server X.X.X.X
  >>    source-interface mgmt0
  Also does anyone know how to configure Microsoft 2008 NPS as a Raduis server to work with Nexus? I have read a few post that suggest changing the
  shell:roles="vdc-admin" in the  Attribute Value field in the RADIUS server
  Does anyone know if this works????
  Thanks

  I have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
  Attribute: cisco-av-pair
  Requirement: Mandatory
  Value: shell:roles*"network-admin vdc-admin"
  For more information take a look at this link:
  http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
  Hope this helps
  Thank you for rating helpful posts!

• NAS configure with 2 ip address failed on AAA authentication

  I have routers configured with 2 bvi interfaces for dlsw.
  When I configure NAS setting with 2 ip address, sometime the AAA authentication failed to prompt for user authentication.
  Should I used ip tacacs source-interface?
  If I configure only one, if that interface is down, then I will not be authentication using AAA even the second bvi interface is up.

  Chee
  The AAA server identifies the client by a single IP address and the client always needs to use that address as the source address. If you have 2 BVI interfaces it may be that sometimes the source address is one and sometimes the source address may be the other. That would account for the fact that sometimes it promts for user authentication and sometimes it does not prompt.
  If using 1 BVI as the source address creates the potential that sometimes it might not work because that interface was down but the other BVI was up, then perhaps you should consider configuring a loopback address and using the loopback address as the source address. If the loopback was the source address then it would not matter which BVI might be up and which might be down.
  HTH
  Rick

• Fixed ip for vpn user- aaa authenticated

  Hi all,
  i am using asa 5520 as my vpn box. All vpn users login to vpn box associated with a aaa server. The authenticaltion takes place on aaa server. If i use local database for user login, i can assign fixed static ip to the user via its vpn properties. But now i am using aaa for authentication and i want to assign fixed statix IP for some users. How can i do this?

  with local aaa authentication
  go to the user atributes
  like username vpnuser attributes
  vpn-framed-ip-address 192.168.50.1 255.255.255.255
  this will give that ip to that user
  if u are useing cisco ACS
  under the user setting
  go to :
  Assign static IP address-If a specific IP address should be used for this user, click this option and type the IP address in the text box. The IP address assignment in User Setup overrides the IP address assignment in Group Setup
  and the following link give step-by step intstruction to configure cisco ACS AAA
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008007e6a6.html
  good luck
  please, if helpful Rate

• LMS 3.2 - Problem with inventory of switches using AAA authentication

  Hi all,
  we want to migrate our network equpiment from local authentication (telnet password, enable password) to AAA authentication (Cisco ACS server - username, password for priv level 15). The network devices are managed with CiscoWorks 3.2 and inventory works fine when device login credentials are telnet password, enable password.
  I have configured a switch for testing the authentication to the ACS server, and tested the logon manually. After the successful test I reconfigured the device credentials in CiscoWorks and checked it by a device export with credentials. The credentials in CW were OK, but from this time CiscoWorks could't pull an inventory of the switch any more. Every inventory job failed.
  Any help would be appreciated. Thanks a lot.
  Regards
  fred

  Joe,
  excuse me, I've made a mistake. It's the malfunction of the configuration *archiving* which depends on telnet services. I have included the trace file of the failed CW archiving job. I can see that CW receives the banner and the username prompt, but doesn't send back any telnet credentials. I have also checked the correctness of the device credentials by a DCR export.
  fred

• AAA authentication for networking devices using ACS 4.1 SE

  Hi!!!
  I want to perform AAA authentication for networking devices using ACS 4.1 SE.
  I do have Cisco 4500, 6500,2960, 3750, 3560, ASA, CSMARS, routers (2821) etc in my network. I want to have radius based authentication for the same.
  I want telnet, ssh has,console attempt to be verified by radius server & if ACS goes down then it will be via local enable passwordf.
  For all users i need to have different privilege levels based upon which access will be granted.
  could u plz send me the config that is required to be done in the active devices as well as ACS!!!!

  Pradeep,
  Are you planning MAC authentication for some users while using EAP for others?
  For MAC authentication, just use the following in your AP.
  aaa authentication login mac_methods group radius
  In your AP, select the radius server for mac authentication. You must have already defined your ACS as a radius server.
  In your SSID configuration, under client authentication settings,
  check "open authentication" and also select "MAC Authentication" from the drop-down list.
  If you want both MAC or EAP, then select "MAC Authentication or EAP" from the dropdown.
  Define the mac address as the username and password in ACS. Make sure the format of the mac is without any spaces.
  You will not need to change anything in XP.
  NOTE: XP normally does not require user authentication if machine has already authenticated but it might behave differently. If it does, I can let you know the registry settings to force the behaviour change.
  HTH

• AAA Authentication for Traffic Passing through ASA

  I am setting up AAA authentication for traffic that will pass through my ASA. I am having difficulty enabling 'aaa authentication secure-http-client'. Without secure communications enabled access functions as expected. When I enable access, I get prompted for a username/password. The username/password is entered. Authentication passes (show uauth). The requested page (http://www.cisco.com) switches to https://x.x.x.x (a resolved IP address for the site). Eventually (5 seconds), I am asked to accept or deny a certificated. Interestingly, the certificate is for the ASA and not the requested site (http://www.cisco.com).
  Am I missing something?
  firewall# show run aaa
  aaa authentication http console TACACS+ LOCAL
  aaa authentication telnet console TACACS+ LOCAL
  aaa authentication serial console TACACS+ LOCAL
  aaa authentication ssh console TACACS+ LOCAL
  aaa authentication enable console TACACS+ LOCAL
  aaa authentication match guestnetwork_access guestnetwork RADIUS
  aaa authentication secure-http-client
  firewall# show access-li guestnetwork_access
  access-list guestnetwork_access; 2 elements
  access-list guestnetwork_access line 1 extended deny udp 10.255.255.0 255.255.255.0 any eq domain (hitcnt=33)
  access-list guestnetwork_access line 2 extended permit ip 10.255.255.0 255.255.255.0 any (hitcnt=412)
  firewall# show run aaa-s
  aaa-server RADIUS protocol radius
  aaa-server RADIUS (inside) host 192.168.250.14
  key xxxxx
  firewall# show run http
  http server enable

  your definition for the aaa-server is different to the aaa authentication server-group
  try
  aaa authentication http console RADIUS LOCAL
  aaa authentication telnet console RADIUS LOCAL

• Aaa authentication for https access

  I have several Catalyst 3750 switches that I'm running Tacacs on. I set the switch up to be an http server so that some of our admins could administer the switches through the web gui. Is it possible to login to the web console via your Tacacs login (in our case, our Windows username/password)? I found the "ip http authentication aaa" command but this doesn't seem to do it. I just don't want to share the local passwords if I don't have to.
  Thanks in advance,
  Eric

  My experience of the web interface is that it uses the local password on the device and not the aaa authentication IDs and passwords.
  HTH
  Rick

• AAA Authentication and VRF-Lite

  Hi!
  I've run into a strange problem, when using AAA Radius authentication and VRF-Lite.
  The setting is as follows. A /31 linknet is setup between PE and CE (7206/g1 and C1812), where PE sub-if is a part of an MPLS VPN, and CE uses VRF-Lite to keep the local services seperated (where more than one VPN is used..).
  Access to the CE, via telnet, console etc, will be authenticated by our RADIUS servers, based on the following setup:
  --> Config Begins <---
  aaa new-model
  aa group server radius radius-auth
  server x.x.4.23 auth-port 1645 acct-port 1646
  server x.x.7.139 auth-port 1645 acct-port 1646
  aaa authentication login default group radius-auth local
  aaa authentication enable default group radius-auth enable
  radius-server host x.x.4.23 auth-port 1645 acct-port 1646 key <key>
  radius-server host x.x.7.139 auth-port 1645 acct-port 1646 key <key>
  ip radius source-interface <outside-if> vrf 10
  ---> Config Ends <---
  The VRF-Lite instance is configured like this:
  ---> Config Begins <---
  ip vrf 10
  rd 65001:10
  ---> Config Ends <---
  Now - if I remove the VRF-Lite setup, and use global routing on the CE (which is okey for a single-vpn setup), the AAA/RADIUS authentication works just fine. When I enable "ip vrf forwarding 10" on the outside and inside interface, the AAA/RADIUS service is unable to reach the two defined servers.
  I compared the routing table when using VRF-Lite and global routing, and they are identical. All routes are imported via BGP correctly, and the service as a whole works without problems, in other words, the AAA/RADIUS part is the only service not working.

  Just wanted to help future people as some of the answers I found here were confusing.
  This is all you need from the AAA perspective:
  aaa new-model
  aaa group server radius RADIUS-VRF-X
  server-private 192.168.1.10 auth-port 1812 acct-port 1813 key 7 003632222D6E3839240475
  ip vrf forwarding X
  aaa authentication login default group RADIUS-VRF-X local
  aaa authorization exec default group X local if-authenticated
  Per VRF AAA reference:
  http://www.cisco.com/c/en/us/td/docs/ios/12_2/12_2b/12_2b4/feature/guide/12b_perv.html#wp1024168

• Why do we need aaa authentication enable

  Hi all 
  Why do we need the  " aaa authentication enable default group tacacs+ enable" . Is " aaa authentication login default group tacacs+ enable" 
  is not enough ? 
   aaa authentication login default group tacacs+ enable
   aaa authentication enable default group tacacs+ enable
  Thanks 

  Hi jatin ,
  Just for clariffication ,  if i add  " aaa authentication enable default group tacacs+ enable"   , once authenticated  device will go directly to enable mode . 
  As you said  
  aaa authentication login default group tacacs+ local
  in case tacacs failed  user has to enter local username and password . once it is authenticated  
  " aaa authentication enable default group tacacs+ enable " will be executed and the user  have to enter the enable (local db )  secret .
  Please correct me if  iam wrong
  aaa authentication login default group tacacs+ enable
  aaa authentication enable default group tacacs+ enable
  aaa authorization console
  aaa authorization exec default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting connection default start-stop group tacacs+

• AAA authentication / Radius-Servers

                     Hello cisco folks,
  Have a technical question I would like to ask. I'm able to setup my 3750e switch to login through a radius server with my company user id and password but would like to be able to set it up that when I log in it drops me on the enable prompt. Right now I have to type >en.
  Then the enable password.  Thanks in advance.
  Paul

  Hi Bro
  Yes, this can be achieved in Cisco IOS devices but not in Cisco ASA. In Cisco ASA, you still have to type the "enable" command.
  Just ensure you've the configuration shown below, and all should be good;
  enable password cisco
  aaa new-model
  aaa authentication login VTY group radius local
  aaa authentication login CONSOLE local
  aaa authentication enable default group radius enable
  aaa authorization console
  aaa authorization config-commands
  aaa authorization exec VTY group radius local
  username ram privilege 15 password 0 cisco
  username cisco privilege 7 password 0 cisco
  interface FastEthernet0/0
  ip address 10.0.0.2 255.255.255.0
  ip route 0.0.0.0 0.0.0.0 10.0.0.1
  ip radius source-interface FastEthernet0/0
  radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key cisco
  privilege interface level 7 shutdown
  privilege interface level 7 ip address
  privilege interface level 7 ip
  privilege interface level 7 no shutdown
  privilege interface level 7 no ip address
  privilege interface level 7 no ip
  privilege interface level 7 no
  privilege configure level 7 interface
  privilege configure level 7 shutdown
  privilege configure level 7 ip
  privilege configure level 7 no interface
  privilege configure level 7 no shutdown
  privilege configure level 7 no ip
  privilege configure level 0 no
  privilege exec level 7 configure terminal
  privilege exec level 7 configure
  privilege exec level 7 undebug ip rip
  privilege exec level 7 undebug ip
  privilege exec level 7 undebug all
  privilege exec level 7 undebug
  privilege exec level 7 debug ip rip
  privilege exec level 7 debug ip
  privilege exec level 7 debug all
  privilege exec level 7 debug
  line con 0
  authorization exec VTY
  login authentication VTY
  line aux 0
  line vty 0 4
  authorization exec VTY
  login authentication VTY
  end
  Note: Ensure your user ID in your Radius server has the correct av-pair parameters shell:priv-lvl=15
  P/S: if you think this comment is helpful, please do rate it nicely :-)