TACACS+ and authorization "conf-t" commands (IOS)

Hi
Is it possible to do authorization for IOS commands ("conf-t mode") on the TACACS + service without having to keep strings as "privilege configure level 3 interface" in the cisco running config?
Authorization for exec mode commands works well but I need the same for the commands of conf-t mode.
For example tac_plus.conf:
I need something like this (fictional syntax):
    service = configure {
       cmd = interface { permit FastEthernet .* }
       cmd = switchport { deny access .* }
it's already works well:
    service = exec {
       priv-lvl = 3
    cmd = ping { permit .* }
    cmd = wrire { deny memory }
Thank you for any ideas.

Hi Oleg,
here,as you said the commands like ping,show or any other commands in privilege level are authorized with tacacs+ server.but if you want to authorize in global configuration mode then you need to give an extra command
"acs#aaa authorization config-commands"
now after giving you can give any global configuration commands like
"acs(config)#interface FastEthernet "
either you permit or deny.this command gets  authorizes with tacacs+ server.
-thanks,
Rajiv

Similar Messages

  • FWSM: AAA authentication using TACACS and local authorization

    Hi All,
    In our setup, we are are having FWSMs running version 3.2.22 and users are authenticating using TACACS (running cisco ACS). We would like to give restricted access ( some show commands ) to couple of users to all devices. We do not want to use TACACS for command authorization.
    We have created users on TACACS and  not allowed "enable" access to them. I have also given those show commands locally on the firewall with privilege level 1. and enabled aaa authorization LOCAL
    Now , those users can successfully login to devices and execute those show commands from priv level 1 except "sh access-list".  I have specifically mentioned this
    "privilege show level 1 mode exec command access-list"  in the config.
    Is there anything i am missing or is there any other way of doing it?
    Thanks.

    You cannot do what you are trying to do. For (default login you need to use the first policy matched.
    you can diversify telnet/ssh with http by  creating different aaa groups.
    But still you will be loging in for telnet users (all of them) using one method.
    I hope it is clear.
    PK

  • How to make AAA access and prevent conf t?

    Hello
    i am trying to setup AAA access to our network switches and routers with following requirements:
    Have two groups is ACS server: one ReadWrite (full access), second ReadOnly (full access except conf t command).
    Created network device groups. Created ACS groups (NetAdmin); shell (exec) is privilege level 15, Shell command auth set is configured ReadWrite for switches and routers.
    With bellow commands i managed to have it working OK for switches but cannot get it right for routers. Basically i get authenticated but still have access to conf t on routers. Switches do not have access to conf t for readonly group.
    ========================================================
    Switch:
    aaa new-model
    aaa group server tacacs+ AAA
    server 10.10.10.1
    server 10.10.10.2
    aaa authentication login default none
    aaa authentication login AAA group tacacs+ local
    aaa authentication login AAA-LOCAL local
    aaa authentication enable default group AAA enable
    aaa authorization exec default group AAA if-authenticated
    aaa authorization commands 1 default group AAA if-authenticated
    aaa authorization commands 15 default group AAA if-authenticated
    aaa accounting exec default start-stop group AAA
    aaa accounting commands 1 default start-stop group AAA
    aaa accounting commands 15 default start-stop group AAA
    aaa accounting network default start-stop group AAA
    aaa accounting connection default start-stop group AAA
    aaa accounting system default start-stop group AAA
    !line vty 0 4
    login authentication AAA
    =======================================================
    Router:
    aaa new-model
    aaa group server tacacs+ AAA
    server-private 10.10.10.1 key 11111
    aaa authentication login AAA-LOCAL local
    aaa authentication login AAA group AAA local
    aaa authentication enable default group AAA enable
    aaa authorization console
    aaa authorization exec default group AAA if-authenticated
    aaa authorization commands 1 default group AAA if-authenticated
    aaa authorization commands 15 default group AAA if-authenticated
    aaa accounting exec default
    action-type start-stop
    group AAA
    aaa accounting commands 1 default
    action-type start-stop
    group AAA
    aaa accounting commands 15 default
    action-type start-stop
    group AAA
    aaa accounting network default
    action-type start-stop
    group AAA
    aaa accounting connection default
    action-type start-stop
    group AAA
    aaa accounting system default
    action-type start-stop
    group AAA
    !line vty 0 4
    login authentication AAA
    =============================================================
    Based on bellow commands how can i setup AAA to fulfill our needs?
    Appreciated your help.

    ACS 4.x
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#backinfo
    ACS 5.x
    http://www.cisco.com/en/US/products/ps9911/products_configuration_example09186a0080bc8514.shtml
    These commands are required on an IOS router or switch in order to implement command authorization through an ACS server:
        aaa new-model
        aaa authorization config-commands
        aaa authorization commands 0 default  group tacacs+ local
        aaa authorization commands 1 default  group tacacs+ local
        aaa authorization commands 15 default group tacacs+ local
        tacacs-server host 10.1.1.1
        tacacs-server key cisco123
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#rou
    Jatin Katyal
    - Do rate helpful posts -

  • Same user in tacacs and local database with different privilege

    Hi there,
    i am just not sure if this is correct behavior.
    i am running NX-OS image n5000-uk9.5.1.3.N1.1.bin on the nexus 5020 platform.
    i have configured authorization with tacacs+ on ACS server version 5.2 with fall back to switch local database.
    aaa authentication login default group ACS
    aaa authorization commands default group ACS local
    aaa accounting default group ACS
    a user test with priv 15 is craeted on ACS server, password test2
    everything works fine, until i create the same username on the local database with privilege 0. ( it doesnt matter if the user in local database was created before user in ACS or after )
    e.g.:  
    username test password test1 role priv-0   (note passwords are different for users in both databases)
    after i create the same user in local database with privilege 0,
    if i try to connect to the switch with this username test and password defined on ACS,  i get only privilege 0 authorization, regardless, that ACS server is up and it should be primary way to authenticate and authorizate the user.
    is this normal?
    thank you for help...

    Hello.
    Privileges are used with traditional IOS. Privileges are part of "command authorization". Other operating systems (like IOS-XR, Nexus OS , Juniper JunOS) use "role-based authorization" instead of "command authorization".
    So traditional IOS can use the "privilege" attribute but other operating systems can not.
    Although IOS-XR, Nexus, ACE, Juniper  have "roled-based authorization" feature, every single one of them use their particular attributes.
    When I was configuring TACACS with ACE, Juniper and other devices I had to capture the packets to find out what were the particular attributes of ACE, what were the particular attributes of JunOS, etc, etc and to search deeply some hints the documentation , because sadly  documentation is not very good when talking about TACACS details.
    If you find which attributes to use, and what values to assign to the attributes then you can go to ACS and configure a "Shell Profile".
    Now back to Nexus 5000. It seems this particular device has the option to mix "role-based" with "command authorization" by overriding the default roles with other roles which names are called "priv". It seems this was an effort to try to map the old concept of "privileges" to the new concept of "roles". Although you see the word "priv", it's just the name of the role. My particular point of view is that this complicates the whole thing. I would recommend to use just the default roles, or customize some of them (only if needed), but not to use "command authorization".
    http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/security/502_n1_1/Cisco_n5k_security_config_gd_rel_502_n1_1_chapter5.html
    I will search the particular attributes Nexus use to talk to TACACS server. If I got them I will post them here.
    Please rate if it helps

  • Cisco ISE with TACACS+ and RADIUS both?

    Hello,
    I am initiating wired authentication on an existing network using Cisco ISE. I have been studying the requirements for this. I know I have to turn on RADIUS on the Cisco switches on the network. The switches on the network are already programmed for TACACS+. Does anybody know if they can both operate on the same network at the same time?
    Bob

    Hello Robert,
    I believe NO, they both won't work together as both TACACS and Radius are different technologies.
    It's just because that TACACS encrypts the whole message and Radius just the password, so I believe it won't work.
    For your reference, I am sharing the link for the difference between TACACS and Radius.
    http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
    Moreover, Please review the information as well.
    Compare TACACS+ and RADIUS
    These sections compare several features of TACACS+ and RADIUS.
    UDP and TCP
    RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a
    TCP transport offers:
    TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.
    TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server.
    Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running.
    TCP is more scalable and adapts to growing, as well as congested, networks.
    Packet Encryption
    RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.
    TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.
    Authentication and Authorization
    RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.
    TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.
    During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.
    Multiprotocol Support
    RADIUS does not support these protocols:
    AppleTalk Remote Access (ARA) protocol
    NetBIOS Frame Protocol Control protocol
    Novell Asynchronous Services Interface (NASI)
    X.25 PAD connection
    TACACS+ offers multiprotocol support.
    Router Management
    RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.
    TACACS+ provides two methods to control the authorization of router commands on a per-user or per-group basis. The first method is to assign privilege levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second method is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed.
    Interoperability
    Due to various interpretations of the RADIUS Request for Comments (RFCs), compliance with the RADIUS RFCs does not guarantee interoperability. Even though several vendors implement RADIUS clients, this does not mean they are interoperable. Cisco implements most RADIUS attributes and consistently adds more. If customers use only the standard RADIUS attributes in their servers, they can interoperate between several vendors as long as these vendors implement the same attributes. However, many vendors implement extensions that are proprietary attributes. If a customer uses one of these vendor-specific extended attributes, interoperability is not possible.
    Traffic
    Due to the previously cited differences between TACACS+ and RADIUS, the amount of traffic generated between the client and server differs. These examples illustrate the traffic between the client and server for TACACS+ and RADIUS when used for router management with authentication, exec authorization, command authorization (which RADIUS cannot do), exec accounting, and command accounting (which RADIUS cannot do).

  • FreeRadius and Cisco 2600 Terminal Server [IOS 12.1(3)T]

    Hi Cisco People
    I'm using FreeRadius 2 and Cisco 2600 Terminal server to coordinate access to cisco routers based on time‏ ranges.
    Basically we are an education/training environment where we have some students accessing the routers and switches for practise, terminal server are used to consolidate the console access, and these terminal servers authenticate the users through a Radius server (as shown in the following figure). Additionally, the students are categorized into few groups. We want to implement policy on the radius server so that only a certain group can access the resources in a given duration of time (the user should be dropped from the terminal when the subscribed time is reached and cannot access thereafter .) 
    +++++++++++++++                                           +++++++++++++++++                                      +++++++++++++
    +         User          +++++++++++++++++++++++   Cisco 2600          +++++++++++++++++++++   Network      +
    +                          +                                           +   Terminal Serv     +                                      +    Devices      +
    +++++++++++++++                                           +++++++++++++++++                                      +++++++++++++
                                                                                            (NAS)
                                                                                                +
                                                                                                +
                                                                                   +++++++++++++++     
                                                                                  +   FreeRadius      +
                                                                                  +++++++++++++++
    Right now I'm able to do the "hello-world" setup with the following users and clients.conf. On the terminal server side, aaa new-model is enabled on the cisco terminal server to communicate with this radius server.
    users
    =============
    cisco Auth-Type := System
      Service-Type = NAS-Prompt-User,
      cisco-avpair = "shell:priv-lvl=15"
    clients.conf
    ==============
    client 192.168.1.1 {
      secret = SECRET_KEY
      shortname = termserver
      nastype = cisco
    A typical transaction would be :
    Access-Request
    =======
            NAS-IP-Address = 192.168.1.1
            NAS-Port = 35
            NAS-Port-Type = Async
            User-Name = "cisco"
            Calling-Station-Id = "1.1.1.1"
            User-Password = "cisco"
    Access-Accept
    =======
            Service-Type = NAS-Prompt-User
            Cisco-AVPair = "shell:priv-lvl=15"
    This works fine but doesn't provide any timing limitations. So I have modified the FreeRadius config to be :
    users
    =============
    cisco Auth-Type := System
      Service-Type = NAS-Prompt-User,
      cisco-avpair = "shell:priv-lvl=15",
      Session-Timeout = 20
    Cisco Terminal Server
    ==============
    aaa new-model
    aaa authentication login default group radius local none
    aaa authorization exec default group radius if-authenticated 
    aaa accounting exec default start-stop group radius
    aaa accounting network default start-stop group radius
    aaa accounting connection default start-stop group radius
    After this, I am able to see that the terminal server actually receives an Access-Accept including the Session-Timeout attributes like the following :
            Service-Type = NAS-Prompt-User
            Cisco-AVPair = "shell:priv-lvl=15"
            Session-Timeout = 20
    But the problem is that it doesn't really terminate the session after the 20 seconds are reached . My questions is that :
    1. Is the terminal server really able to enforce such time limit after receiving the attribute ?
    2. Is the 2600 terminal server  with [IOS 12.1(3)T] compliant with RFC 2865?
    3. What can I do so that the terminal server forces the user to be logged out after the session time limit is reached ?
    Thanks
    Frank

    Frank,
    I think you should use the login time s well:
    Login-Time
    Login-Time is a very powerful internal check AVP. It allows flexible authorization and its value is used by the logintime (rlm_logintime) module to determine if a person is allowed to authenticate to the FreeRADIUS server or not. This value is also used to calculate the Session-Timeout reply value. Session-Timeout is subsequently used by the NAS to limit access time.
    The following line will grant Alice access only between 08:00 and 18:00 each day.
    "alice" Cleartext-Password := "passme", Login-Time := 'Al0800-1800'
    The logintime module will calculate the reply value of Session-Timeout if Alice has logged in within the permitted timeslots to inform the NAS how long she is allowed to stay connected. If Alice tries to access the network when she is not permitted, the request will be rejected.
    http://www.packtpub.com/article/getting-started-with-freeradius
    http://wiki.freeradius.org/config/Users
    yes, the terminal server is RFC 2865 compliant.
    Rate if Useful :)
    Sharing knowledge makes you Immortal.
    Regards,
    Ed

  • Problems getting TACACS and SNTP to cork on CSS11500

    Hi,
    I have a problem with TACACS and SNTP on a pair of CSS11501s and a pair of CSS11503s
    I have configured a TACACS server and an SNTP server which are accessable out the management interface. There is a route to these devices out the management interface. They aren't pingable but if I span the management port and sniff it I can see the ICMP requests leaviong th interface if I try to ping any of them. The problem is that the device sends no SNTP packets to the server and it never sends any packets to TACACS server on the management or any of the other ports - it's as if both services are somehow disabled. I did some debugging as per doc 27000 on CCO and I do get the message "SECURITY-7: Security Manager sending error 7 reply to xyz" which the doc suggests is a key mistmatch, but I don't think it can be as the device isn't even trying to connect to the TACACS server on port 49.
    Am I missing something obvious?
    I've pasted the relevant parts of the config below
    Thanks in advance,
    Dom
    lab-fe-2# show run
    !Generated on 11/20/2009 09:40:18
    !Active version: sg0820303
    configure
    !*************************** GLOBAL ***************************
      sntp primary-server 10.52.240.1 version 3
      sntp secondary-server 10.52.240.2 version 3
      virtual authentication primary tacacs
      virtual authentication secondary local
      tacacs-server key xxxxxxxxxxxxx
      tacacs-server 10.52.255.201 49
      ip management route 10.52.240.0 255.255.240.0 10.55.2.252
      ip route 0.0.0.0 0.0.0.0 10.55.3.254 1
    !************************* INTERFACE *************************
    interface e1
      bridge vlan 2503
      phy 100Mbits-FD
    interface e2
      bridge vlan 2004
      phy 100Mbits-FD
    interface Ethernet-Mgmt
      phy 10Mbits-FD
    !************************** CIRCUIT **************************
    lab-fe-2# show boot
    !************************ BOOT CONFIG ************************
      ip address 10.55.2.245
      subnet mask 255.255.255.0
      primary boot-file sg0820303
      primary boot-type boot-via-disk
      gateway address 10.55.2.252
    lab-fe-2#
    lab-fe-2# show tacacs-server
    Per-Server Status:
    IP/Port              State   Primary        Authen.      Author.      Account
    10.52.255.201:49     Dead    No                   0            0            0
    Totals:                                           0            0            0
    Per-Server Configuration:
    IP/Port              Key              Server Timeout        Server Frequency
    10.52.255.201:49     Not Configured   None                  None
    Global Configuration Parameters:
    Global Timeout:                5
    Global KAL Frequency:          5
    Global Key:                    Configured
    Authorize Config Commands:     No
    Authorize Non-Config Commands: No
    Account Config Commands:       No
    Account Non-Config Commands:   No
    Send Full Command:             Yes
    end of buffer.
    lab-fe-2#
    lab-fe-2#
    lab-fe-2#
    lab-fe-2#

    I have got to the bottom of this, It looks like the CSS cannot authenticate users using a TACACS server
    over the management interface unless the TACACS server is located on the same subnet as the management interface;
    The Ethernet management port provides a connection to the CSS that allows you to perform CSS management functions. The Ethernet management port supports management functions such as secure remote login through SSH, remote login through Telnet, file transfer through active FTP, SNMP queries, HTTPS access to the Device Management user interface, SNTP, DNS, ICMP redirects, RADIUS, syslog, CDP, TACACs, and CSS configuration changes through XML.
    Note When using static routes for managing the CSS from subnets beyond the management LAN, the Ethernet management port supports the management applications listed above, except CDP, DNS, SNTP, and TACACs. For more information on static routes, see the "Configuring Static Routes for the Ethernet Management Port" section.
    I'm going to have to configure NAT on the Management port's gateway device so the CSS thinks the TACACS server is on the same subnet.
    The confusing thing about this is that this is documented up to version 7.40, but it's not mentioned in the documentation for 7.5, 8.1 or 8.2 and neither is it mentioned that it is supported in the release notes of any of those versions.
    Cheers, Dom   

  • WAE, TACACS and ACS

    I have a bit of a strange problem with authentication on my WAE boxes. I am using TACACS authentication for administrative access to the devices. (I didn't change the authentication on the WAAS box itself just in case I had any trouble) I am authenticating against a Cisco ACS appliance.
    I have enabled both tacacs authentication and authorization on my WAEs. I can authenticate using my TACACS credentials. Unfortunately it puts me into "user" mode when I telnet or SSH in, not enable mode. It won't let me in via the web browser (seemingly no matter which credentials I use). If I use the enable command it prompts me for a password. I can then use the administrator password to get into enable mode.
    All my other network devices are also using tacacs authentication and authorization. With that same account I can authenticate and get into enable mode using my tacacs credentials. My account has the shell(exec) box ticked in ACS and also is a member of a group that has a Max privilege of Level 15 and uses per-command authorization with all commands permitted.
    Is there anything special that needs to be done to get the WAAS or WAE boxes to see my account as a level 15 account rather than requiring me to use the administrator password as well?
    Thanks in advance,
    Peter

    Peter,
    The account in ACS also needs to be configured with a 'Privilege level' (1 or 15) for the shell service under the TACACS+ Settings.
    Note that authorization only applies to terminal (console, telnet, etc.) sessions. In order to access the WAE GUI interface using your TACACS credentials, you will need to create a user account in the CM under:
    System > AAA > Users
    Under the user account information, check the box titled 'WAE Device Manager User' and select an access mode.
    Zach

  • AAA authentication and authorization question

    Hi Everyone,
    I have a situation that is driving me crazy.
    I am using Cisco Freeware TACACS running on RedHat
    Enterprise Linux 3. I've modified the source code
    so that I can assign each individual users his/her
    own enable password. So far so good.
    I create two groups: group_A and group_S. group_A
    is for advanced users and group_S is for super
    users. Users that belong to group_A can have
    privilege level 15 but there are certain commands
    that they can not perform such as "write mem"
    or "reload". users that belong to group_S can do
    EVERYTHING.
    Here is my configuration on the TACACS configuration
    file:
    user = xyz {
    member = admin
    name = "User X"
    login = des 6.z8oIm9UGHo
    user = $xyz$ {
    member = admin
    name = "User X"
    login = des c2bUC43cmsac.
    user = abc {
    member = advanced
    name = "User abc"
    login = cleartext "cisco123"
    user = $abc$ {
    member = advanced
    name = "User abc"
    login = cleartext "cisco123"
    group = advanced {
    default service = deny
    cmd = show { permit .* }
    cmd = copy { permit flash }
    cmd = copy { permit running }
    cmd = ping { permit .* }
    cmd = configure { permit .* }
    cmd = enable { permit .* }
    cmd = disable { permit .* }
    cmd = telnet { permit .* }
    cmd = disconnect { permit .* }
    cmd = where { permit .* }
    cmd = set { permit .* }
    cmd = clear { permit line }
    cmd = exit { permit .* }
    group = admin {
    default service = permit
    configuration of the router:
    aaa new-model
    aaa authentication login notac none
    aaa authentication login VTY group tacacs+ local
    aaa authentication login web local enable
    aaa authentication enable default group tacacs+ enable
    aaa authorization exec notac none
    aaa authorization exec VTY group tacacs+ if-authenticated none
    aaa authorization commands 0 VTY group tacacs+ if-authenticated none
    aaa authorization commands 1 VTY group tacacs+ if-authenticated none
    aaa authorization commands 15 VTY group tacacs+ if-authenticated none
    aaa authorization network VTY group tacacs+ if-authenticated none
    aaa accounting exec TAC start-stop group tacacs+
    aaa accounting exec VTY start-stop group tacacs+
    aaa accounting commands 0 TAC start-stop group tacacs+
    aaa accounting commands 0 VTY start-stop group tacacs+
    aaa accounting commands 1 TAC start-stop group tacacs+
    aaa accounting commands 1 VTY start-stop group tacacs+
    aaa accounting commands 10 TAC start-stop group tacacs+
    aaa accounting commands 15 TAC start-stop group tacacs+
    aaa accounting commands 15 VTY start-stop group tacacs+
    aaa accounting network VTY start-stop group tacacs+
    aaa session-id common
    line vty 0 15
    exec-timeout 0 0
    authorization commands 0 VTY
    authorization commands 1 VTY
    authorization commands 15 VTY
    authorization exec VTY
    accounting commands 0 VTY
    accounting commands 1 VTY
    accounting commands 15 VTY
    accounting exec VTY
    login authentication VTY
    However, what I would like to do is to assign users
    in group_A the ability to go into "configuration t"
    but I do NOT want them to have the ability to peform
    "no tacacs-server host x.x.x.x key cisco". Furthermore,
    I would like to do everything via TACACS, I don't
    want configure "privilege level" on the router itself.
    Is that possible? Thanks.
    David

    Command Authorization Sets?Command authorization sets provide a centralized mechanism to manage TACACS+ administrative control. Driven by some of the largest enterprise and service provider networks that use Cisco Secure ACS, command authorization sets provide a method to group and name device command profiles that can be paired with users, groups of users, or network device groups. A key benefit of command authorization sets is the ability to remove any requirement of individual privilege level or command restrictions on each AAA client. This feature greatly enhances the scalability and manageability of setting device command authorization restrictions for network administrators.
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_release_note09186a00800ada4c.html

  • An issue with authentication and authorization on ISE 1.2

    Hi, I'm new to ISE.
    I have an issue with authentication and authorization.
    I have ISE 1.2 plus patch 6 installed on VMware.
    I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
    On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
    I created  authentication and authorization rules with Active Directory  as External Identity Source. Also I applied  authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for  authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
    I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
    I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
    What  should I do to resolve this issue?
    Switch configuration:
     testISE#sh runn
    Building configuration...
    Current configuration : 7103 bytes
    ! Last configuration change at 12:20:15Tue Apr 15 2014
    ! NVRAM config last updated at 10:35:02  Tue Apr 15 2014
    version 15.0
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname testISE
    boot-start-marker
    boot-end-marker
    no logging console
    logging monitor informational
    enable secret 5 ************
    enable password ********
    username radius-test password 0 ********
    username admin privilege 15 secret 5 ******************
    aaa new-model
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa authorization auth-proxy default group radius
    aaa accounting update periodic 5
    aaa accounting dot1x default start-stop group radius
    aaa server radius dynamic-author
     client 172.16.0.90 server-key ********
    aaa session-id common
    clock timezone 4 0
    system mtu routing 1500
    authentication mac-move permit
    ip dhcp snooping vlan 1,22
    ip dhcp snooping
    ip domain-name elauloks
    ip device tracking probe use-svi
    ip device tracking
    epm logging
    crypto pki trustpoint TP-self-signed-1888913408
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-1888913408
     revocation-check none
     rsakeypair TP-self-signed-1888913408
    crypto pki certificate chain TP-self-signed-1888913408
    dot1x system-auth-control
    spanning-tree mode pvst
    spanning-tree extend system-id
    vlan internal allocation policy ascending
    ip ssh version 2
    interface FastEthernet0/5
     switchport mode access
     ip access-group ACL-ALLOW in
     authentication event fail action next-method
     authentication event server dead action reinitialize vlan 1
     authentication event server alive action reinitialize
     authentication host-mode multi-auth
     authentication open
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication port-control auto
     authentication periodic
     authentication timer reauthenticate server
     authentication violation restrict
     mab
     dot1x pae authenticator
     dot1x timeout tx-period 10
     spanning-tree portfast
    interface FastEthernet0/6
     switchport mode access
     ip access-group ACL-ALLOW in
     authentication event fail action next-method
     authentication event server dead action reinitialize vlan 1
     authentication event server alive action reinitialize
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication port-control auto
     authentication periodic
     authentication timer reauthenticate server
     authentication violation restrict
     mab
     dot1x pae authenticator
     dot1x timeout tx-period 10
     spanning-tree portfast
    interface FastEthernet0/7
    interface Vlan1
     ip address 172.16.0.204 255.255.240.0
     no ip route-cache
    ip default-gateway 172.16.0.1
    ip http server
    ip http secure-server
    ip access-list extended ACL-ALLOW
     deny   icmp any host 172.16.0.1
     permit ip any any
    ip radius source-interface Vlan1
    logging origin-id ip
    logging source-interface Vlan1
    logging host 172.16.0.90 transport udp port 20514
    snmp-server community public RO
    snmp-server community ciscoro RO
    snmp-server trap-source Vlan1
    snmp-server source-interface informs Vlan1
    snmp-server enable traps snmp linkdown linkup
    snmp-server enable traps mac-notification change move
    snmp-server host 172.16.0.90 ciscoro
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 6 support-multiple
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server dead-criteria time 5 tries 3
    radius-server vsa send accounting
    radius-server vsa send authentication
    radius server ISE-Alex
     address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
     automate-tester username radius-test idle-time 15
     key ******
    ntp server 172.16.0.1
    ntp server 172.16.0.5
    end

    Yes. Tried that (several times) didn't work.  5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts.  Kept getting error message that username and password invalid.  Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick.  Think there is an issue with imap.gmail.com and IOS 6.0.1.  I'm sure the 5 of us suddently experiencing this issue aren't the only ones.  Apple will figure it out.  Thanks.

  • I have iOS7 on my iPhone4. I turned on the Voice Over option and now my phone is not working at all. At first it was freezing and not accepting any commands. Now all I have is a blank sceen. I can't get back into it. Any ideas what happened here?

    I have iOS7 on my iPhone4. I turned on the Voice Over option and now my phone is not working at all. At first it was freezing and not accepting any commands. Now all I have is a blank sceen. I can't get back into it. Any ideas what happened here?

    Hi Jeffny01,
    If your iPhone is not responding, you may find the following article helpful:
    iOS: Not responding or does not turn on
    http://support.apple.com/kb/TS3281
    Regards,
    - Brenden

  • Games and music in ITunes on the VIAO. When I try to sync them to the ITOUCH or the IPAD I get a message that I am not authorized-.Go to the ITunes Store and Authorize this computer.

    FIRST there are some games and music in ITunes on the VIAO. When I try to sync them to the ITOUCH or the IPAD I get a message that I am not authorized….Go to the ITunes Store and Authorize this computer. I have completed this procedure several times and receive back the message you are authorized on this computer and I have authorized 2 of 5 devices allowed.
    Why am I not able access the games and music on my machine? How can I sync these items to my ITOUCH and MY IPAD
    SECOND How do I move my music and Games from ITUNES on the G5 to TUNES on the PC so I am able to sync those items to my devices.
    I have inherited my wife’s Laptop a:
    SONY VIAO
    MS Windows XP Home edition V 2002
    Service Pack 3
    ACPI Uniprocessor PC
    Owner dvkpqpg2.
    ITunes 11.01.1.12 updated 12/8/12
    I am both a PC and ITunes Rookie.
    I have some MAC experience and presently use a:
    Mac Dual PowerPC G5
    OS 10.4.11
    2.5GB DDR SDRAM
    ITunes 9.2.1
    ITOUCH MC011LL
    64 GB----57 GB avail
    iOS 5.11
    IPAD MC954LL
    iOS 6.0.1
    16 GB----37 GB avail

    If you want the ability to add music from multiple libraries see this thread.
    If you no longer have access to the computer that has your original library then see Recover your iTunes library from your iPod or iOS device.
    tt2

  • Authentication and authorization for AD users in UCM11g

    Hi all
    we are using webcenter content server 11g. I read some where that for 11g users authentication is done in weblogic server environment, mean content server for 11g in now managed by weblogic server only, am i right?. we have successfully integrated Active Directory with weblogic sever and user of AD are able to log-in UCM but they don't have any role like contributor or Admin. How to do this role mapping for AD user in UCM i.e. authorization for these users. Please provide any guidence on this issue any doc or blog, we are new to webcenter suite.
    Thanks
    Somesh

    As you already have weblogic integrated with AD, remains only role mapping and Single Sign-On integration. For authorization, AD must contain groups with exact names as roles in the Content Server. Those groups should be where Group Base parameter in the weblogic ActiveDirectoryAuthenticator point (like OU=Roles,OU=Oracle,DC=example,DC=com). Assigning AD user to the AD group named contributor, will add contributor role to logged Content Server user.
    As for SSO, refer to the:
    http://docs.oracle.com/cd/E23943_01/web.1111/e13707/sso.htm
    and
    http://docs.oracle.com/cd/E23943_01/doc.1111/e10792/c05_security.htm#autoId21
    Procedure steps are:
    Create a user account for the hostname of the web server machine in Active Directory
    Create krb5.ini file, and locate it in the C:\Windows directory at both machines (Domain Controller and WLS host)
    Generate the keytab file
    Create a JAAS Login File named krb5Login.conf
    Put both keytab and krb5Login.conf files to …/user_domains/domains/my_domain/
    Configure the Identity Assertion Provider
    Adjust Weblogic Server startup arguments for Kerberos authentication
    Redeploy CS (and optionally other servers) server with the documentation given deployment plan
    Check web browser configuration (IE and Firefox only)
    Take a deep breath and test
    If successful have a cake and cup of coffee else goto step one
    Regards,
    Boris

  • Tacacs+ authentication/authorization based on user's subnet

    Hi Guys/Girls
    We have number of production cisco gears, all of which are configured with Tacacs+ and all of them working just fine. But now I have a requirement to implement SSH-ver2 across whole network, comprise of about 8000 cisco gears.
    I need to develop a proof of concept (POC), that enabling SSH on production gears will not affect existing Tacacs+ users authentication and authorization.
    In our lab cisco gears, it has been already configured with production Tacacs+ server for authentication and authorization. Now I am allowed to test SSH on these lab-gears but I without disrupting others users who are using the same lab-gears.
    So, I want to enable SSH version 2 on these lab-gears however, when user coming from a certain specific subnet, this particular user must be authenticated and authorized by LAB Tacacs+ but not from production Tacacs+, however please note that lab-gears I am testing with also already configured for  production Tacacs+ server as well. These lab-gears must be able to do authentication and authorization to two different Tacacs+ server based on users subnet that he or she coming from.
    Is this doable plan? I have been looking for a documentation to implement test this method, not being successful.
    Your feedback will be appreciated and rated.
    Thanks
    Rizwan Rafeek

    Riswan,
    This will not work, tacacs authentication starts once the ssh connection is established, the NAD (switch or router) will open a tacacs connection and send the start flag to the tacacs server in which the message "getusername" is sent from the tacacs server to the device and to the user terminal. You can not create an acl in order to pick which tacacs servers you can authenticate to either. So when it comes to authenticating users from a specific subnet to a specific tacacs server that is not the intended design of tacacs, when you configure multiple servers in a group it is to insure high availability such that when one tacacs server goes down you have a secondary to continue with the authenticaiton requests.
    Here is an example of how the tacacs authentication is performed.
    http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml#comp_traffic
    thanks and I hope that helps,
    Tarik Admani
    *Please rate helpful posts*

  • Authorization object for Command Button

    Hi all,
    How can I create the Authorization object for command button which is on application server.
    if you do not have auth when you click on that command button, it should be say 'you dont have auth'.
    please help me in this.
    regards,
    Ajay reddy

    Hi,
    Tcode for Authorization Objects are,
    su20----> for defineing authorization field ,
    su21-----> for authorization class,
    su22------> for assignement authorization object
    To create an authorization object:
    1) Execute transaction SU21
    2) Double-click an Object Class to select a class that should contain
    your new auth object
    3) Click on CREATE (F5)
    4) (If creating custom field) - Click the 'Field Maintenance' button -->
    Click on CREATE (Shift+F1)
    5) Enter the Name for the New Authorization field and the corresponding
    Data Element and SAVE
    6) Confirm the Change Request data for the new Authorization Field
    7) Go back two screens (F3-->F3)
    8) Enter the Authorization field name and document the object:
    9) SAVE and ACTIVATE the documentation
    10) Save the new Authorization Object
    11) Confirm the change request data for the Authorization Object and
    EXIT SU21
    12) Finally, the SAP_ALL profile must be re-generated
    Regards,
    hema.

Maybe you are looking for

  • Creation of Customer

    Hi Guys, While creating a customer I am not able to specify the reconciliation account, system isn't allowing me to enter any input in FD01 - company code data screen but when I double click its taking me to the G/L account screen of AR. I have also

  • Selecting mulitple items in a List programmaticly

    Hi everyone, my list doesn't shows my updates if i select a item programmaticly. this is an easy example showing my problem:     <fx:Script>         <![CDATA[             import mx.collections.ArrayList;             import mx.events.FlexEvent;       

  • Can't login due to input source issue

    Hi! I'm using my MBP (Yosemite) with a hungarian input source, however, my login password was in english. Yesterday, I've changed it. Now, it contains hungarian characters. I was able to use that password for logging in as long as the Mac just went t

  • Shunt Calibrate Multiple Channels in One Task - Error 201398

    Having created a task with multiple AI Strain Gage channels (each set with same bridge properties and quarter bridge config.), I recieve an error when passing the task to the "DAQmx Perform Shunt Calibration (Strain).vi" My VI works fine if only a si

  • Changing Quality of Service in Receiver Adapter

    Hi, We have a scenario where hundreds of messages for the same interface is sent to XI and written to one file on the receiver side.  We do not want to change the QOS (Quality of Service) to EOIO (Exactly Once in Order) on the sender side nor do we w