TACACS+ and authorization "conf-t" commands (IOS)
Hi
Is it possible to do authorization for IOS commands ("conf-t mode") on the TACACS + service without having to keep strings as "privilege configure level 3 interface" in the cisco running config?
Authorization for exec mode commands works well but I need the same for the commands of conf-t mode.
For example tac_plus.conf:
I need something like this (fictional syntax):
service = configure {
cmd = interface { permit FastEthernet .* }
cmd = switchport { deny access .* }
it's already works well:
service = exec {
priv-lvl = 3
cmd = ping { permit .* }
cmd = wrire { deny memory }
Thank you for any ideas.
Hi Oleg,
here,as you said the commands like ping,show or any other commands in privilege level are authorized with tacacs+ server.but if you want to authorize in global configuration mode then you need to give an extra command
"acs#aaa authorization config-commands"
now after giving you can give any global configuration commands like
"acs(config)#interface FastEthernet "
either you permit or deny.this command gets authorizes with tacacs+ server.
-thanks,
Rajiv
Similar Messages
-
FWSM: AAA authentication using TACACS and local authorization
Hi All,
In our setup, we are are having FWSMs running version 3.2.22 and users are authenticating using TACACS (running cisco ACS). We would like to give restricted access ( some show commands ) to couple of users to all devices. We do not want to use TACACS for command authorization.
We have created users on TACACS and not allowed "enable" access to them. I have also given those show commands locally on the firewall with privilege level 1. and enabled aaa authorization LOCAL
Now , those users can successfully login to devices and execute those show commands from priv level 1 except "sh access-list". I have specifically mentioned this
"privilege show level 1 mode exec command access-list" in the config.
Is there anything i am missing or is there any other way of doing it?
Thanks.You cannot do what you are trying to do. For (default login you need to use the first policy matched.
you can diversify telnet/ssh with http by creating different aaa groups.
But still you will be loging in for telnet users (all of them) using one method.
I hope it is clear.
PK -
How to make AAA access and prevent conf t?
Hello
i am trying to setup AAA access to our network switches and routers with following requirements:
Have two groups is ACS server: one ReadWrite (full access), second ReadOnly (full access except conf t command).
Created network device groups. Created ACS groups (NetAdmin); shell (exec) is privilege level 15, Shell command auth set is configured ReadWrite for switches and routers.
With bellow commands i managed to have it working OK for switches but cannot get it right for routers. Basically i get authenticated but still have access to conf t on routers. Switches do not have access to conf t for readonly group.
========================================================
Switch:
aaa new-model
aaa group server tacacs+ AAA
server 10.10.10.1
server 10.10.10.2
aaa authentication login default none
aaa authentication login AAA group tacacs+ local
aaa authentication login AAA-LOCAL local
aaa authentication enable default group AAA enable
aaa authorization exec default group AAA if-authenticated
aaa authorization commands 1 default group AAA if-authenticated
aaa authorization commands 15 default group AAA if-authenticated
aaa accounting exec default start-stop group AAA
aaa accounting commands 1 default start-stop group AAA
aaa accounting commands 15 default start-stop group AAA
aaa accounting network default start-stop group AAA
aaa accounting connection default start-stop group AAA
aaa accounting system default start-stop group AAA
!line vty 0 4
login authentication AAA
=======================================================
Router:
aaa new-model
aaa group server tacacs+ AAA
server-private 10.10.10.1 key 11111
aaa authentication login AAA-LOCAL local
aaa authentication login AAA group AAA local
aaa authentication enable default group AAA enable
aaa authorization console
aaa authorization exec default group AAA if-authenticated
aaa authorization commands 1 default group AAA if-authenticated
aaa authorization commands 15 default group AAA if-authenticated
aaa accounting exec default
action-type start-stop
group AAA
aaa accounting commands 1 default
action-type start-stop
group AAA
aaa accounting commands 15 default
action-type start-stop
group AAA
aaa accounting network default
action-type start-stop
group AAA
aaa accounting connection default
action-type start-stop
group AAA
aaa accounting system default
action-type start-stop
group AAA
!line vty 0 4
login authentication AAA
=============================================================
Based on bellow commands how can i setup AAA to fulfill our needs?
Appreciated your help.ACS 4.x
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#backinfo
ACS 5.x
http://www.cisco.com/en/US/products/ps9911/products_configuration_example09186a0080bc8514.shtml
These commands are required on an IOS router or switch in order to implement command authorization through an ACS server:
aaa new-model
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
tacacs-server host 10.1.1.1
tacacs-server key cisco123
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#rou
Jatin Katyal
- Do rate helpful posts - -
Same user in tacacs and local database with different privilege
Hi there,
i am just not sure if this is correct behavior.
i am running NX-OS image n5000-uk9.5.1.3.N1.1.bin on the nexus 5020 platform.
i have configured authorization with tacacs+ on ACS server version 5.2 with fall back to switch local database.
aaa authentication login default group ACS
aaa authorization commands default group ACS local
aaa accounting default group ACS
a user test with priv 15 is craeted on ACS server, password test2
everything works fine, until i create the same username on the local database with privilege 0. ( it doesnt matter if the user in local database was created before user in ACS or after )
e.g.:
username test password test1 role priv-0 (note passwords are different for users in both databases)
after i create the same user in local database with privilege 0,
if i try to connect to the switch with this username test and password defined on ACS, i get only privilege 0 authorization, regardless, that ACS server is up and it should be primary way to authenticate and authorizate the user.
is this normal?
thank you for help...Hello.
Privileges are used with traditional IOS. Privileges are part of "command authorization". Other operating systems (like IOS-XR, Nexus OS , Juniper JunOS) use "role-based authorization" instead of "command authorization".
So traditional IOS can use the "privilege" attribute but other operating systems can not.
Although IOS-XR, Nexus, ACE, Juniper have "roled-based authorization" feature, every single one of them use their particular attributes.
When I was configuring TACACS with ACE, Juniper and other devices I had to capture the packets to find out what were the particular attributes of ACE, what were the particular attributes of JunOS, etc, etc and to search deeply some hints the documentation , because sadly documentation is not very good when talking about TACACS details.
If you find which attributes to use, and what values to assign to the attributes then you can go to ACS and configure a "Shell Profile".
Now back to Nexus 5000. It seems this particular device has the option to mix "role-based" with "command authorization" by overriding the default roles with other roles which names are called "priv". It seems this was an effort to try to map the old concept of "privileges" to the new concept of "roles". Although you see the word "priv", it's just the name of the role. My particular point of view is that this complicates the whole thing. I would recommend to use just the default roles, or customize some of them (only if needed), but not to use "command authorization".
http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/security/502_n1_1/Cisco_n5k_security_config_gd_rel_502_n1_1_chapter5.html
I will search the particular attributes Nexus use to talk to TACACS server. If I got them I will post them here.
Please rate if it helps -
Cisco ISE with TACACS+ and RADIUS both?
Hello,
I am initiating wired authentication on an existing network using Cisco ISE. I have been studying the requirements for this. I know I have to turn on RADIUS on the Cisco switches on the network. The switches on the network are already programmed for TACACS+. Does anybody know if they can both operate on the same network at the same time?
BobHello Robert,
I believe NO, they both won't work together as both TACACS and Radius are different technologies.
It's just because that TACACS encrypts the whole message and Radius just the password, so I believe it won't work.
For your reference, I am sharing the link for the difference between TACACS and Radius.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
Moreover, Please review the information as well.
Compare TACACS+ and RADIUS
These sections compare several features of TACACS+ and RADIUS.
UDP and TCP
RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a
TCP transport offers:
TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.
TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server.
Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running.
TCP is more scalable and adapts to growing, as well as congested, networks.
Packet Encryption
RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.
TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.
Authentication and Authorization
RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.
TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.
During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.
Multiprotocol Support
RADIUS does not support these protocols:
AppleTalk Remote Access (ARA) protocol
NetBIOS Frame Protocol Control protocol
Novell Asynchronous Services Interface (NASI)
X.25 PAD connection
TACACS+ offers multiprotocol support.
Router Management
RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.
TACACS+ provides two methods to control the authorization of router commands on a per-user or per-group basis. The first method is to assign privilege levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second method is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed.
Interoperability
Due to various interpretations of the RADIUS Request for Comments (RFCs), compliance with the RADIUS RFCs does not guarantee interoperability. Even though several vendors implement RADIUS clients, this does not mean they are interoperable. Cisco implements most RADIUS attributes and consistently adds more. If customers use only the standard RADIUS attributes in their servers, they can interoperate between several vendors as long as these vendors implement the same attributes. However, many vendors implement extensions that are proprietary attributes. If a customer uses one of these vendor-specific extended attributes, interoperability is not possible.
Traffic
Due to the previously cited differences between TACACS+ and RADIUS, the amount of traffic generated between the client and server differs. These examples illustrate the traffic between the client and server for TACACS+ and RADIUS when used for router management with authentication, exec authorization, command authorization (which RADIUS cannot do), exec accounting, and command accounting (which RADIUS cannot do). -
FreeRadius and Cisco 2600 Terminal Server [IOS 12.1(3)T]
Hi Cisco People
I'm using FreeRadius 2 and Cisco 2600 Terminal server to coordinate access to cisco routers based on time ranges.
Basically we are an education/training environment where we have some students accessing the routers and switches for practise, terminal server are used to consolidate the console access, and these terminal servers authenticate the users through a Radius server (as shown in the following figure). Additionally, the students are categorized into few groups. We want to implement policy on the radius server so that only a certain group can access the resources in a given duration of time (the user should be dropped from the terminal when the subscribed time is reached and cannot access thereafter .)
+++++++++++++++ +++++++++++++++++ +++++++++++++
+ User +++++++++++++++++++++++ Cisco 2600 +++++++++++++++++++++ Network +
+ + + Terminal Serv + + Devices +
+++++++++++++++ +++++++++++++++++ +++++++++++++
(NAS)
+
+
+++++++++++++++
+ FreeRadius +
+++++++++++++++
Right now I'm able to do the "hello-world" setup with the following users and clients.conf. On the terminal server side, aaa new-model is enabled on the cisco terminal server to communicate with this radius server.
users
=============
cisco Auth-Type := System
Service-Type = NAS-Prompt-User,
cisco-avpair = "shell:priv-lvl=15"
clients.conf
==============
client 192.168.1.1 {
secret = SECRET_KEY
shortname = termserver
nastype = cisco
A typical transaction would be :
Access-Request
=======
NAS-IP-Address = 192.168.1.1
NAS-Port = 35
NAS-Port-Type = Async
User-Name = "cisco"
Calling-Station-Id = "1.1.1.1"
User-Password = "cisco"
Access-Accept
=======
Service-Type = NAS-Prompt-User
Cisco-AVPair = "shell:priv-lvl=15"
This works fine but doesn't provide any timing limitations. So I have modified the FreeRadius config to be :
users
=============
cisco Auth-Type := System
Service-Type = NAS-Prompt-User,
cisco-avpair = "shell:priv-lvl=15",
Session-Timeout = 20
Cisco Terminal Server
==============
aaa new-model
aaa authentication login default group radius local none
aaa authorization exec default group radius if-authenticated
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group radius
After this, I am able to see that the terminal server actually receives an Access-Accept including the Session-Timeout attributes like the following :
Service-Type = NAS-Prompt-User
Cisco-AVPair = "shell:priv-lvl=15"
Session-Timeout = 20
But the problem is that it doesn't really terminate the session after the 20 seconds are reached . My questions is that :
1. Is the terminal server really able to enforce such time limit after receiving the attribute ?
2. Is the 2600 terminal server with [IOS 12.1(3)T] compliant with RFC 2865?
3. What can I do so that the terminal server forces the user to be logged out after the session time limit is reached ?
Thanks
FrankFrank,
I think you should use the login time s well:
Login-Time
Login-Time is a very powerful internal check AVP. It allows flexible authorization and its value is used by the logintime (rlm_logintime) module to determine if a person is allowed to authenticate to the FreeRADIUS server or not. This value is also used to calculate the Session-Timeout reply value. Session-Timeout is subsequently used by the NAS to limit access time.
The following line will grant Alice access only between 08:00 and 18:00 each day.
"alice" Cleartext-Password := "passme", Login-Time := 'Al0800-1800'
The logintime module will calculate the reply value of Session-Timeout if Alice has logged in within the permitted timeslots to inform the NAS how long she is allowed to stay connected. If Alice tries to access the network when she is not permitted, the request will be rejected.
http://www.packtpub.com/article/getting-started-with-freeradius
http://wiki.freeradius.org/config/Users
yes, the terminal server is RFC 2865 compliant.
Rate if Useful :)
Sharing knowledge makes you Immortal.
Regards,
Ed -
Problems getting TACACS and SNTP to cork on CSS11500
Hi,
I have a problem with TACACS and SNTP on a pair of CSS11501s and a pair of CSS11503s
I have configured a TACACS server and an SNTP server which are accessable out the management interface. There is a route to these devices out the management interface. They aren't pingable but if I span the management port and sniff it I can see the ICMP requests leaviong th interface if I try to ping any of them. The problem is that the device sends no SNTP packets to the server and it never sends any packets to TACACS server on the management or any of the other ports - it's as if both services are somehow disabled. I did some debugging as per doc 27000 on CCO and I do get the message "SECURITY-7: Security Manager sending error 7 reply to xyz" which the doc suggests is a key mistmatch, but I don't think it can be as the device isn't even trying to connect to the TACACS server on port 49.
Am I missing something obvious?
I've pasted the relevant parts of the config below
Thanks in advance,
Dom
lab-fe-2# show run
!Generated on 11/20/2009 09:40:18
!Active version: sg0820303
configure
!*************************** GLOBAL ***************************
sntp primary-server 10.52.240.1 version 3
sntp secondary-server 10.52.240.2 version 3
virtual authentication primary tacacs
virtual authentication secondary local
tacacs-server key xxxxxxxxxxxxx
tacacs-server 10.52.255.201 49
ip management route 10.52.240.0 255.255.240.0 10.55.2.252
ip route 0.0.0.0 0.0.0.0 10.55.3.254 1
!************************* INTERFACE *************************
interface e1
bridge vlan 2503
phy 100Mbits-FD
interface e2
bridge vlan 2004
phy 100Mbits-FD
interface Ethernet-Mgmt
phy 10Mbits-FD
!************************** CIRCUIT **************************
lab-fe-2# show boot
!************************ BOOT CONFIG ************************
ip address 10.55.2.245
subnet mask 255.255.255.0
primary boot-file sg0820303
primary boot-type boot-via-disk
gateway address 10.55.2.252
lab-fe-2#
lab-fe-2# show tacacs-server
Per-Server Status:
IP/Port State Primary Authen. Author. Account
10.52.255.201:49 Dead No 0 0 0
Totals: 0 0 0
Per-Server Configuration:
IP/Port Key Server Timeout Server Frequency
10.52.255.201:49 Not Configured None None
Global Configuration Parameters:
Global Timeout: 5
Global KAL Frequency: 5
Global Key: Configured
Authorize Config Commands: No
Authorize Non-Config Commands: No
Account Config Commands: No
Account Non-Config Commands: No
Send Full Command: Yes
end of buffer.
lab-fe-2#
lab-fe-2#
lab-fe-2#
lab-fe-2#I have got to the bottom of this, It looks like the CSS cannot authenticate users using a TACACS server
over the management interface unless the TACACS server is located on the same subnet as the management interface;
The Ethernet management port provides a connection to the CSS that allows you to perform CSS management functions. The Ethernet management port supports management functions such as secure remote login through SSH, remote login through Telnet, file transfer through active FTP, SNMP queries, HTTPS access to the Device Management user interface, SNTP, DNS, ICMP redirects, RADIUS, syslog, CDP, TACACs, and CSS configuration changes through XML.
Note When using static routes for managing the CSS from subnets beyond the management LAN, the Ethernet management port supports the management applications listed above, except CDP, DNS, SNTP, and TACACs. For more information on static routes, see the "Configuring Static Routes for the Ethernet Management Port" section.
I'm going to have to configure NAT on the Management port's gateway device so the CSS thinks the TACACS server is on the same subnet.
The confusing thing about this is that this is documented up to version 7.40, but it's not mentioned in the documentation for 7.5, 8.1 or 8.2 and neither is it mentioned that it is supported in the release notes of any of those versions.
Cheers, Dom -
I have a bit of a strange problem with authentication on my WAE boxes. I am using TACACS authentication for administrative access to the devices. (I didn't change the authentication on the WAAS box itself just in case I had any trouble) I am authenticating against a Cisco ACS appliance.
I have enabled both tacacs authentication and authorization on my WAEs. I can authenticate using my TACACS credentials. Unfortunately it puts me into "user" mode when I telnet or SSH in, not enable mode. It won't let me in via the web browser (seemingly no matter which credentials I use). If I use the enable command it prompts me for a password. I can then use the administrator password to get into enable mode.
All my other network devices are also using tacacs authentication and authorization. With that same account I can authenticate and get into enable mode using my tacacs credentials. My account has the shell(exec) box ticked in ACS and also is a member of a group that has a Max privilege of Level 15 and uses per-command authorization with all commands permitted.
Is there anything special that needs to be done to get the WAAS or WAE boxes to see my account as a level 15 account rather than requiring me to use the administrator password as well?
Thanks in advance,
PeterPeter,
The account in ACS also needs to be configured with a 'Privilege level' (1 or 15) for the shell service under the TACACS+ Settings.
Note that authorization only applies to terminal (console, telnet, etc.) sessions. In order to access the WAE GUI interface using your TACACS credentials, you will need to create a user account in the CM under:
System > AAA > Users
Under the user account information, check the box titled 'WAE Device Manager User' and select an access mode.
Zach -
AAA authentication and authorization question
Hi Everyone,
I have a situation that is driving me crazy.
I am using Cisco Freeware TACACS running on RedHat
Enterprise Linux 3. I've modified the source code
so that I can assign each individual users his/her
own enable password. So far so good.
I create two groups: group_A and group_S. group_A
is for advanced users and group_S is for super
users. Users that belong to group_A can have
privilege level 15 but there are certain commands
that they can not perform such as "write mem"
or "reload". users that belong to group_S can do
EVERYTHING.
Here is my configuration on the TACACS configuration
file:
user = xyz {
member = admin
name = "User X"
login = des 6.z8oIm9UGHo
user = $xyz$ {
member = admin
name = "User X"
login = des c2bUC43cmsac.
user = abc {
member = advanced
name = "User abc"
login = cleartext "cisco123"
user = $abc$ {
member = advanced
name = "User abc"
login = cleartext "cisco123"
group = advanced {
default service = deny
cmd = show { permit .* }
cmd = copy { permit flash }
cmd = copy { permit running }
cmd = ping { permit .* }
cmd = configure { permit .* }
cmd = enable { permit .* }
cmd = disable { permit .* }
cmd = telnet { permit .* }
cmd = disconnect { permit .* }
cmd = where { permit .* }
cmd = set { permit .* }
cmd = clear { permit line }
cmd = exit { permit .* }
group = admin {
default service = permit
configuration of the router:
aaa new-model
aaa authentication login notac none
aaa authentication login VTY group tacacs+ local
aaa authentication login web local enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec notac none
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
aaa accounting exec TAC start-stop group tacacs+
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 0 TAC start-stop group tacacs+
aaa accounting commands 0 VTY start-stop group tacacs+
aaa accounting commands 1 TAC start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 10 TAC start-stop group tacacs+
aaa accounting commands 15 TAC start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting network VTY start-stop group tacacs+
aaa session-id common
line vty 0 15
exec-timeout 0 0
authorization commands 0 VTY
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication VTY
However, what I would like to do is to assign users
in group_A the ability to go into "configuration t"
but I do NOT want them to have the ability to peform
"no tacacs-server host x.x.x.x key cisco". Furthermore,
I would like to do everything via TACACS, I don't
want configure "privilege level" on the router itself.
Is that possible? Thanks.
DavidCommand Authorization Sets?Command authorization sets provide a centralized mechanism to manage TACACS+ administrative control. Driven by some of the largest enterprise and service provider networks that use Cisco Secure ACS, command authorization sets provide a method to group and name device command profiles that can be paired with users, groups of users, or network device groups. A key benefit of command authorization sets is the ability to remove any requirement of individual privilege level or command restrictions on each AAA client. This feature greatly enhances the scalability and manageability of setting device command authorization restrictions for network administrators.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_release_note09186a00800ada4c.html -
An issue with authentication and authorization on ISE 1.2
Hi, I'm new to ISE.
I have an issue with authentication and authorization.
I have ISE 1.2 plus patch 6 installed on VMware.
I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
I created authentication and authorization rules with Active Directory as External Identity Source. Also I applied authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
What should I do to resolve this issue?
Switch configuration:
testISE#sh runn
Building configuration...
Current configuration : 7103 bytes
! Last configuration change at 12:20:15Tue Apr 15 2014
! NVRAM config last updated at 10:35:02 Tue Apr 15 2014
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname testISE
boot-start-marker
boot-end-marker
no logging console
logging monitor informational
enable secret 5 ************
enable password ********
username radius-test password 0 ********
username admin privilege 15 secret 5 ******************
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
client 172.16.0.90 server-key ********
aaa session-id common
clock timezone 4 0
system mtu routing 1500
authentication mac-move permit
ip dhcp snooping vlan 1,22
ip dhcp snooping
ip domain-name elauloks
ip device tracking probe use-svi
ip device tracking
epm logging
crypto pki trustpoint TP-self-signed-1888913408
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1888913408
revocation-check none
rsakeypair TP-self-signed-1888913408
crypto pki certificate chain TP-self-signed-1888913408
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
ip ssh version 2
interface FastEthernet0/5
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface FastEthernet0/6
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 1
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface FastEthernet0/7
interface Vlan1
ip address 172.16.0.204 255.255.240.0
no ip route-cache
ip default-gateway 172.16.0.1
ip http server
ip http secure-server
ip access-list extended ACL-ALLOW
deny icmp any host 172.16.0.1
permit ip any any
ip radius source-interface Vlan1
logging origin-id ip
logging source-interface Vlan1
logging host 172.16.0.90 transport udp port 20514
snmp-server community public RO
snmp-server community ciscoro RO
snmp-server trap-source Vlan1
snmp-server source-interface informs Vlan1
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host 172.16.0.90 ciscoro
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
radius server ISE-Alex
address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
automate-tester username radius-test idle-time 15
key ******
ntp server 172.16.0.1
ntp server 172.16.0.5
endYes. Tried that (several times) didn't work. 5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts. Kept getting error message that username and password invalid. Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick. Think there is an issue with imap.gmail.com and IOS 6.0.1. I'm sure the 5 of us suddently experiencing this issue aren't the only ones. Apple will figure it out. Thanks.
-
I have iOS7 on my iPhone4. I turned on the Voice Over option and now my phone is not working at all. At first it was freezing and not accepting any commands. Now all I have is a blank sceen. I can't get back into it. Any ideas what happened here?
Hi Jeffny01,
If your iPhone is not responding, you may find the following article helpful:
iOS: Not responding or does not turn on
http://support.apple.com/kb/TS3281
Regards,
- Brenden -
FIRST there are some games and music in ITunes on the VIAO. When I try to sync them to the ITOUCH or the IPAD I get a message that I am not authorized….Go to the ITunes Store and Authorize this computer. I have completed this procedure several times and receive back the message you are authorized on this computer and I have authorized 2 of 5 devices allowed.
Why am I not able access the games and music on my machine? How can I sync these items to my ITOUCH and MY IPAD
SECOND How do I move my music and Games from ITUNES on the G5 to TUNES on the PC so I am able to sync those items to my devices.
I have inherited my wife’s Laptop a:
SONY VIAO
MS Windows XP Home edition V 2002
Service Pack 3
ACPI Uniprocessor PC
Owner dvkpqpg2.
ITunes 11.01.1.12 updated 12/8/12
I am both a PC and ITunes Rookie.
I have some MAC experience and presently use a:
Mac Dual PowerPC G5
OS 10.4.11
2.5GB DDR SDRAM
ITunes 9.2.1
ITOUCH MC011LL
64 GB----57 GB avail
iOS 5.11
IPAD MC954LL
iOS 6.0.1
16 GB----37 GB availIf you want the ability to add music from multiple libraries see this thread.
If you no longer have access to the computer that has your original library then see Recover your iTunes library from your iPod or iOS device.
tt2 -
Authentication and authorization for AD users in UCM11g
Hi all
we are using webcenter content server 11g. I read some where that for 11g users authentication is done in weblogic server environment, mean content server for 11g in now managed by weblogic server only, am i right?. we have successfully integrated Active Directory with weblogic sever and user of AD are able to log-in UCM but they don't have any role like contributor or Admin. How to do this role mapping for AD user in UCM i.e. authorization for these users. Please provide any guidence on this issue any doc or blog, we are new to webcenter suite.
Thanks
SomeshAs you already have weblogic integrated with AD, remains only role mapping and Single Sign-On integration. For authorization, AD must contain groups with exact names as roles in the Content Server. Those groups should be where Group Base parameter in the weblogic ActiveDirectoryAuthenticator point (like OU=Roles,OU=Oracle,DC=example,DC=com). Assigning AD user to the AD group named contributor, will add contributor role to logged Content Server user.
As for SSO, refer to the:
http://docs.oracle.com/cd/E23943_01/web.1111/e13707/sso.htm
and
http://docs.oracle.com/cd/E23943_01/doc.1111/e10792/c05_security.htm#autoId21
Procedure steps are:
Create a user account for the hostname of the web server machine in Active Directory
Create krb5.ini file, and locate it in the C:\Windows directory at both machines (Domain Controller and WLS host)
Generate the keytab file
Create a JAAS Login File named krb5Login.conf
Put both keytab and krb5Login.conf files to …/user_domains/domains/my_domain/
Configure the Identity Assertion Provider
Adjust Weblogic Server startup arguments for Kerberos authentication
Redeploy CS (and optionally other servers) server with the documentation given deployment plan
Check web browser configuration (IE and Firefox only)
Take a deep breath and test
If successful have a cake and cup of coffee else goto step one
Regards,
Boris -
Tacacs+ authentication/authorization based on user's subnet
Hi Guys/Girls
We have number of production cisco gears, all of which are configured with Tacacs+ and all of them working just fine. But now I have a requirement to implement SSH-ver2 across whole network, comprise of about 8000 cisco gears.
I need to develop a proof of concept (POC), that enabling SSH on production gears will not affect existing Tacacs+ users authentication and authorization.
In our lab cisco gears, it has been already configured with production Tacacs+ server for authentication and authorization. Now I am allowed to test SSH on these lab-gears but I without disrupting others users who are using the same lab-gears.
So, I want to enable SSH version 2 on these lab-gears however, when user coming from a certain specific subnet, this particular user must be authenticated and authorized by LAB Tacacs+ but not from production Tacacs+, however please note that lab-gears I am testing with also already configured for production Tacacs+ server as well. These lab-gears must be able to do authentication and authorization to two different Tacacs+ server based on users subnet that he or she coming from.
Is this doable plan? I have been looking for a documentation to implement test this method, not being successful.
Your feedback will be appreciated and rated.
Thanks
Rizwan RafeekRiswan,
This will not work, tacacs authentication starts once the ssh connection is established, the NAD (switch or router) will open a tacacs connection and send the start flag to the tacacs server in which the message "getusername" is sent from the tacacs server to the device and to the user terminal. You can not create an acl in order to pick which tacacs servers you can authenticate to either. So when it comes to authenticating users from a specific subnet to a specific tacacs server that is not the intended design of tacacs, when you configure multiple servers in a group it is to insure high availability such that when one tacacs server goes down you have a secondary to continue with the authenticaiton requests.
Here is an example of how the tacacs authentication is performed.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml#comp_traffic
thanks and I hope that helps,
Tarik Admani
*Please rate helpful posts* -
Authorization object for Command Button
Hi all,
How can I create the Authorization object for command button which is on application server.
if you do not have auth when you click on that command button, it should be say 'you dont have auth'.
please help me in this.
regards,
Ajay reddyHi,
Tcode for Authorization Objects are,
su20----> for defineing authorization field ,
su21-----> for authorization class,
su22------> for assignement authorization object
To create an authorization object:
1) Execute transaction SU21
2) Double-click an Object Class to select a class that should contain
your new auth object
3) Click on CREATE (F5)
4) (If creating custom field) - Click the 'Field Maintenance' button -->
Click on CREATE (Shift+F1)
5) Enter the Name for the New Authorization field and the corresponding
Data Element and SAVE
6) Confirm the Change Request data for the new Authorization Field
7) Go back two screens (F3-->F3)
8) Enter the Authorization field name and document the object:
9) SAVE and ACTIVATE the documentation
10) Save the new Authorization Object
11) Confirm the change request data for the Authorization Object and
EXIT SU21
12) Finally, the SAP_ALL profile must be re-generated
Regards,
hema.
Maybe you are looking for
-
Hi Guys, While creating a customer I am not able to specify the reconciliation account, system isn't allowing me to enter any input in FD01 - company code data screen but when I double click its taking me to the G/L account screen of AR. I have also
-
Selecting mulitple items in a List programmaticly
Hi everyone, my list doesn't shows my updates if i select a item programmaticly. this is an easy example showing my problem: <fx:Script> <![CDATA[ import mx.collections.ArrayList; import mx.events.FlexEvent;
-
Can't login due to input source issue
Hi! I'm using my MBP (Yosemite) with a hungarian input source, however, my login password was in english. Yesterday, I've changed it. Now, it contains hungarian characters. I was able to use that password for logging in as long as the Mac just went t
-
Shunt Calibrate Multiple Channels in One Task - Error 201398
Having created a task with multiple AI Strain Gage channels (each set with same bridge properties and quarter bridge config.), I recieve an error when passing the task to the "DAQmx Perform Shunt Calibration (Strain).vi" My VI works fine if only a si
-
Changing Quality of Service in Receiver Adapter
Hi, We have a scenario where hundreds of messages for the same interface is sent to XI and written to one file on the receiver side. We do not want to change the QOS (Quality of Service) to EOIO (Exactly Once in Order) on the sender side nor do we w