Tacacs+ and User EXEC mode

Similar Messages

• ACS 4.2 authentication and Privelged exec mode on Test Router.

  The goal is to have ACS authenticate my username via ssh and allow me to get into privileged exec mode once authenticated. Details below.
  I have ACS 4.2 Solution Engine and I have a test router with the following commands setup:
  aaa new-model
  aaa authentication login default group tacacs+ local
  aaa session-id common
  tacacs-server host 10.4.4.21 single-connection
  tacacs-server key $#$&$*#
  The problem is this. I can SSH and logon to the router which uses a user in the ACS database but the router will not allow me to use the enable command to get to exec mode. The error it gives me is:
  AAA_ROUTER_CLIENT>enable
  % Error in authentication.
  AAA_ROUTER_CLIENT>
  I must be missing something in the ACS. Any help would be appreciated.

  You are missing this command
  aaa authorization exec default group tacacs+ if-authenticated
  This is what you need on router
  Router(config)# username [username] password [password]
  tacacs-server host [ip]
  tacacs-server key [key]
  aaa new-model
  aaa authentication login default group tacacs+ local
  aaa authorization exec default group tacacs+ if-authenticated
  On ACS
  Bring users/groups in at level 15
  1. Go to user or group setup in ACS
  2. Drop down to "TACACS+ Settings"
  3. Place a check in "Shell (Exec)"
  4. Place a check in "Privilege level" and enter "15" in the adjacent field
  Regards,
  ~JG
  Do rate helpful posts

• CISCO 700 and privileged EXEC mode

  Hi!
  I have a CISCO 765 and trying to connect to another 765 and the result of the dailing is
  "L08 1 0498291725 Call Connected
  Connection 11 Add Link 1 Channel 1
  Connection 11 Remove Link 1 Channel 1
  L13 1 Disconnecting Call
  L27 1 Disconnected"
  This dosent say so much so I need to enter the debug mode. But how do I do that on the 765?

  Are you getting any other error messages through the console. Try enabling "debug isdn q931" on the router and check for the reason the call is getting disconnected. Check which end is disconnecting the call. Whether it is the calling side or the called side. This will help in narrowing down the issue.

• ACS 5.3 Different password for privilege exec mode

  This is what I would like to do for our Core Routers. Not too familiar with ACS, so please excuse me if I don't provide you will all the details.
  Right now I have ACS 5.3 which is tide to Active Directory. When a user logs in they use there AD credentials to access the CLI and use that same password to access privileged exec mode.
  What I want to do is have users log in using their AD credentials like normal but have a unique password to access privileged exec mode, different for each user.
  So far this is what I have done:
  1) Created a test user (same as AD user name) in the Internal Identity Store
  Password Type: Internal Users
  normal password set differently that Enable Password (I think Enable Password will only be relevant)
  2) Created a rule under Access Policies > Device Admin - Commands > Identity
  - Created Rule with Current Condition Set    (TACACS+:Authen-Type match ASCII And (TACACS+:Action match Login AND TACACS+Service match Enable))
  - Identity Source: Internal Users
  When I enable the rule. I can login with my AD credentials, but when I try to access privilege exec mode the password that I created for the local user (regular and enable) does not work.
  Question: Do I need to create a shell profile with Maximum privilege value set to something under 15 for the authorization policy and apply it so it will try and use the internal user's enable password?
  Not to familiar with how this works. One of my co-workers said I needed to demote the users in order for my rule to work.

  Hey Tushar,
  That is our current setup. Right now each user logs in with their AD credentials to get into user exec mode and the same password to get into privileged exec mode. I would like to have a user login with their normal AD credentials to get into user exec mode and a different password (specific to each user, not locally on the device) to login to privileged exec mode. We are doing this for security reasons. Hopefully that clarifys what I'm trying to do.
  Thanks

• Does ISE 1.1 support TACACS and H-REAP?

  Hello,
  Does ISE1.1 support TACACS/TACACS+ and H-REAP mode ?
  Also, customer wants to have quick access to the corporate network with some few laptops without going through the Actice Directory? Any suggestion on this?
  Thanks
  Olu

  EAP-TLS does not rely on AD.
  CA root cert is installed on ACS for trust and identity.
  you can elect to Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active Directory
  Users and Identity Stores >
  Certificate Authentication Profile >
  Edit: "CN Username"
  see the checkbox at the bottom.
  I do EAP TLS machine auth only without integrating AD into the policy at all.
  hth,
  jk

• Allow privilleged users to enter into EXEC mode on login not working with public keys

  Hi,
  I have recently updated one of my Cisco ASA to v9.2(1) and noticed a function to get the perform authorization for exec shell access can do a auto-enable when logging in from ssh.
  The problem is that if I use a private/public key authentication with a user it won't do the auto-enable feature. If I login without keys and using my password, it jumps into privilleged exec mode as it should.
  Anyone else had this issue?
  Config:
  aaa authentication ssh console LOCAL
  aaa authorization exec LOCAL auto-enable
  username user password xxxxxx encrypted privilege 15
  username user attributes
   ssh authentication publickey 22:af:xxxxxx hashed
  Any answer will be highly appreciated. 
  P.S I'm totally new in this forum.

  Would you be able to open a TAC SR and once you do , Email me the SR no and i will look into this issue.
  [email protected]
  Thanks and Regards,
  Vibhor Amrodia

• Configuration issue in IE as Document mode: 10 and User agent String: Internet Explorer 8

  Hi,
  I have a telerik rad popup window performing some input operation. The problem is when I use the configuration in IE as Document mode: 10 and User
  agent String: Internet Explorer 8, scroll bars appear in the window from nowhere. It is working fine with every other configuration of IE. I've also used a separate stylesheet for IE 8 but it won't apply in this case. 
  Here are the screen shots of the window.
  Actual view
  With Scorllbar
  Please if anybody could suggest a solution for this weird problem it would be a great help.
  Thanks in advance.
  Neelesh

  Hi,
  It seems we need to talk with the site developers to determine how the sheet would display with different IE user agent string.
  Regarding the user agent string changes, please take a check with the following article:
  Introducing IE9’s User Agent String
  The Internet Explorer 8 User-Agent String (Updated Edition)
  Hope this may help
  Best regards
  Michael Shao
  TechNet Community Support

• Unable to enter to user Privilege EXEC Mode with catalyst 1900

  Hello
  I am setting up some lab network . I have 10  Cisco 1900 series switches . But when i try to power up it shows the below message. I am not able to get into user privilege mode.
  Catalyst 1900 Management Console
  Copyright (c) Cisco Systems, Inc.  1993-1997
  All rights reserved.
  Ethernet address: 00-C0-1D-81-43-65
  1 user(s) now active on Management Console.
  Enter password:
  Catalyst 1900 - Main Menu
       [C] Console Password
       [S] System
       [N] Network Management
       [P] Port Configuration
       [A] Port Addressing
       [D] Port Statistics Detail
       [M] Monitoring
       [V] Virtual LAN
       [R] Multicast Registration
       [F] Firmware
       [I] RS-232 Interface
       [U] Usage Summaries
       [H] Help
       [X] Exit Management Console
  Enter Selection:
  could you pls tell me how can i get into the user mode such as 
  Switch1#
  Thanks
  Navaz

  There were two versions of software for the 1900 series switches, one that purely menu based configuration and management and the Enterprise version, which had an option to exit the menu and get access to a CLI. Note though that this is not Cisco IOS.
  There's a post, Catalyst 1900 Enterprise software, on the forum from 2002 that will give you some more details. As indicated in that post there's an option to upgrade to the Enterprise edition, but you obviously need to acquire the software.
  As per the reponses from Richard and Leo, these are very old switches and depending upon what you're trying to do with them, may not serve your purpose.
  Regards

• [Forum FAQ] Troubleshoot the error "The Remote Desktop Session Host server is in Per User licensing mode and No Redirector Mode"

  Symptom
  RD License server is a key component of RDS. It licenses users to access RDS servers.
  After purchase the required RDS CALs, we need to activate the RDS License server and install the purchased RDS CALs. However, during the installation or after installation, we may face errors
  about RDS License.
  In most cases, the following error may occur.
  Error:
  The Remote Desktop Session Host server is in Per User licensing mode and No Redirector Mode, but license server "Server name" does not have any installed licenses with the following
  attributes:
  Product version: Windows Server 2012
  Licensing mode: Per User
  License type: RDS CALs
  Troubleshooting
  1. Check whether the RD License Configuration is configured properly and there are no Warnings in the Event.
  2. The License Server should be part of 'RD Server License' group in Active Directory Domain Services.
  3. Check if the Licensing Mode is correct.
  - To change the Licensing Mode we can use RD Licensing diagnose, PowerShell cmdlet and Group Policy.
  Via PowerShell cmdlet:
  To change the licensing mode on RDSH/RDVH:
  $obj = get-wmiobject -namespace "Root/CIMV2/TerminalServices" Win32_TerminalServiceSetting
  $obj.ChangeMode(value)
  # Value can be 2 - per Device, 4 - Per user
  Via Group Policy
  Path: Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Licensing
  Use the specified RD license servers = FQDN of server name
  Set the Remote Desktop licensing mode =
  Per User
  However, if issue persists, please provide detailed information and post the question in the
  Remote Desktop Services (Terminal Services) forum.
  Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

  Hi Richard,
  You need to uninstall Remote desktop session host feature. After removing it, you will default two connections which does not need to purchase RD CALs'.
  Thanks,
  Umesh.S.K

• Internet Explorer 11 - Emulation Document Mode and User Agent String Drop Down Menu Blank

  Hey
  I have a user who has a problem with Internet Explorer 11 where when you go to emulation mode using F12, the Document Mode and User Agent String Drop Down Menu are both blank. On our internal website its works correctly but on all other external websites
  they are both blank.
  I have had a look at the link below but this did not help as it would not recreate some of the registry keys.
  http://answers.microsoft.com/en-us/ie/forum/ie11-iewindows8_1/document-mode-and-user-agent-string-dropdowns/cd34d5f8-7839-4083-af55-05d49ba85190?rtAction=1387560713451
  Charlie

  Hi,
  Please include links to any websites that you are having issues with your questions.
  There are some known reasons why the documentMode dropdown appears blank...
  not all websites though should have the conditions for this.
  f12>Console tab, refresh the page to show suppressed error messages and warnings... (documentMode x-ua toggling is listed)...
  IE11 includes improvements for XSS... to link to internet sites from your intranets you need to add those sites (If you really, really trust them) to the Trusted Sites list.
  the developer console will list blocked xss requests.
  by default IE11 runs in EPM.... in the Internet Zone, while it is not switched on for the intranet zone....
  EPM only allows 64 bit Addons and ActiveX controls to run in the context of an IE tab...
  so its highly likely that one of your Addons is causing the issue.
  the first step in troubleshooting IE issues is to test in noAddons mode.
  Regards.
  Rob^_^

• FWSM: AAA authentication using TACACS and local authorization

  Hi All,
  In our setup, we are are having FWSMs running version 3.2.22 and users are authenticating using TACACS (running cisco ACS). We would like to give restricted access ( some show commands ) to couple of users to all devices. We do not want to use TACACS for command authorization.
  We have created users on TACACS and  not allowed "enable" access to them. I have also given those show commands locally on the firewall with privilege level 1. and enabled aaa authorization LOCAL
  Now , those users can successfully login to devices and execute those show commands from priv level 1 except "sh access-list".  I have specifically mentioned this
  "privilege show level 1 mode exec command access-list"  in the config.
  Is there anything i am missing or is there any other way of doing it?
  Thanks.

  You cannot do what you are trying to do. For (default login you need to use the first policy matched.
  you can diversify telnet/ssh with http by  creating different aaa groups.
  But still you will be loging in for telnet users (all of them) using one method.
  I hope it is clear.
  PK

• AAA, Tacacs+ and ACS

  I'm trying to use ACS (v4.1) to authenticate admin to our Cisco switches and also restrict access to particluar commands for particular users, I've done a lot of research on this but can't find a complete doucment that goes through it step by step.
  What I have so far on the switch is
  enable secret 5 removed
  username admin privilege 15 password 7 removed
  aaa authentication login default group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec default group tacacs+ local if-authenticated
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  The local admin logins in perfectly fine when the switch is not connected to the network.
  When I connect the switch to the network and login using my AD credentials it works a treat.
  When I try an login with a local ACS accout for testing which has Max Privilege for any AAA Client Level 1, Tacacs+ Settings Shell(exec) is ticked as is Privilege level and that's set at 1 also it logins in fine but when I try to go into exec mode it fails with errors below
  % Error in authentication.
  .Oct 25 14:19:20.288: %SYS-5-PRIV_AUTH_FAIL: Authentication to privilege level 15 failed by test on console
  I don't want test to go into exec mode as level 15 I want it to go in as level 1 or some other level other than 15 so I can control what commands it has access to through ACS.
  I'm at a loss to know why this isn't work so any help would be much appreciated.
  Thanks
  Jon

  The problem you are facing and the error you're seeing on ACS "max session exceeded" seems 2 different issues. I read that you don't wana try this with Max privilege and privilege level set to 15. However, if you want to restrict user to few commands on any IOS, that can't be done like this.
  You need to have command authorization enabled on the switch and command set on the ACS > shell command authorization. This is pretty common feature that we use day in day out.
  Yo need to set privilege level to 15 because we are using exec authorization on the switch and then follow this document.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  You would see few examples of read-only access and read-write access.
  You may also let me know what all command you would like to allow for read-only access.
  Please feel free to let me know if you need any further assistance.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Cisco ISE with TACACS+ and RADIUS both?

  Hello,
  I am initiating wired authentication on an existing network using Cisco ISE. I have been studying the requirements for this. I know I have to turn on RADIUS on the Cisco switches on the network. The switches on the network are already programmed for TACACS+. Does anybody know if they can both operate on the same network at the same time?
  Bob

  Hello Robert,
  I believe NO, they both won't work together as both TACACS and Radius are different technologies.
  It's just because that TACACS encrypts the whole message and Radius just the password, so I believe it won't work.
  For your reference, I am sharing the link for the difference between TACACS and Radius.
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
  Moreover, Please review the information as well.
  Compare TACACS+ and RADIUS
  These sections compare several features of TACACS+ and RADIUS.
  UDP and TCP
  RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a
  TCP transport offers:
  TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.
  TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server.
  Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running.
  TCP is more scalable and adapts to growing, as well as congested, networks.
  Packet Encryption
  RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.
  TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.
  Authentication and Authorization
  RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.
  TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.
  During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.
  Multiprotocol Support
  RADIUS does not support these protocols:
  AppleTalk Remote Access (ARA) protocol
  NetBIOS Frame Protocol Control protocol
  Novell Asynchronous Services Interface (NASI)
  X.25 PAD connection
  TACACS+ offers multiprotocol support.
  Router Management
  RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.
  TACACS+ provides two methods to control the authorization of router commands on a per-user or per-group basis. The first method is to assign privilege levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second method is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed.
  Interoperability
  Due to various interpretations of the RADIUS Request for Comments (RFCs), compliance with the RADIUS RFCs does not guarantee interoperability. Even though several vendors implement RADIUS clients, this does not mean they are interoperable. Cisco implements most RADIUS attributes and consistently adds more. If customers use only the standard RADIUS attributes in their servers, they can interoperate between several vendors as long as these vendors implement the same attributes. However, many vendors implement extensions that are proprietary attributes. If a customer uses one of these vendor-specific extended attributes, interoperability is not possible.
  Traffic
  Due to the previously cited differences between TACACS+ and RADIUS, the amount of traffic generated between the client and server differs. These examples illustrate the traffic between the client and server for TACACS+ and RADIUS when used for router management with authentication, exec authorization, command authorization (which RADIUS cannot do), exec accounting, and command accounting (which RADIUS cannot do).

• Cisco Devices Syslog monitoring and user monitoring tools

  Can anyone help me how to monitoring syslog and users log (which command use specific user). if any software or hardware need for this purpose we will purchace it. note that our network running all cisco devices (router, switch, ASA etc) and more then 200 devices are in our network.
  thanks.

  Configuring Cisco Devices to Use a Syslog Server
  Most Cisco devices use the syslog protocol to manage system logs and  alerts. But unlike their PC and server counterparts, Cisco devices lack  large internal storage space for storing these logs. To overcome this  limitation, Cisco devices offer the following two options:
  Internal buffer— The device's operating system  allocates a small part of memory buffers to log the most recent  messages. The buffer size is limited to few kilobytes. This option is  enabled by default. However, when the device reboots, these syslog  messages are lost.
  Syslog— Use a UNIX-style SYSLOG protocol to send  messages to an external device for storing. The storage size does not  depend on the router's resources and is limited only by the available  disk space on the external syslog server. This option is not enabled by  default.
  TIP
  Before configuring a Cisco device to send syslog messages, make  sure that it is configured with the right date, time, and time zone.  Syslog data would be useless for troubleshooting if it shows the wrong  date and time. You should configure all network devices to use NTP.  Using NTP ensures a correct and synchronized system clock on all devices  within the network. Setting the devices with the accurate time is  helpful for event correlation.
  To enable syslog functionality in a Cisco network, you must configure the built-in syslog client within the Cisco devices.
  Cisco devices use a severity level of warnings through emergencies to  generate error messages about software or hardware malfunctions. The  debugging level displays the output of debug commands. The Notice level  displays interface up or down transitions and system restart messages.  The informational level reloads requests and low-process stack messages.
  Configuring Cisco Routers for Syslog
  To configure a Cisco IOS-based router for sending syslog messages to  an external syslog server, follow the steps in Table 4-11 using  privileged EXEC mode.
  Table 4-11. Configuring Cisco Routers for Syslog
  Step
  Command
  Purpose
  1
  Router# configure terminal
  Enters global configuration mode.
  2
  Router(config)# service timestamps type datetime [msec] [localtime] [show-timezone]
  Instructs the system to timestamp syslog messages; the options for the type keyword are debug and log.
  3
  Router(config)#logging host
  Specifies the syslog server by IP address or host name; you can specify multiple servers.
  4
  Router(config)# logging trap level
  Specifies the kind of messages, by severity level, to be  sent to the syslog server. The default is informational and lower. The  possible values for level are as follows:
  Emergency: 0
  Alert: 1
  Critical: 2
  Error: 3
  Warning: 4
  Notice: 5
  Informational: 6
  Debug: 7
  Use the debug level with caution, because it can generate a large amount of syslog traffic in a busy network.
  5
  Router(config)# logging facility facility-type
  Specifies the facility level used by the syslog messages; the default is local7. Possible values are local0, local1, local2, local3, local4, local5, local6, and local7.
  6
  Router(config)# End
  Returns to privileged EXEC mode.
  7
  Router# show logging
  Displays logging configuration.
  Note
  When a level is specified in the logging trap level command, the router is configured to send messages with lower severity levels as well. For example, the logging trap warning command configures the router to send all messages with the  severity warning, error, critical, and emergency. Similarly, the logging trap debug command causes the router to send all messages to  the syslog server. Exercise caution while enabling the debug level.  Because the debug process is assigned a high CPU priority, using it in a  busy network can cause the router to crash.
  Example 4-12 prepares a Cisco router to send syslog messages at  facility local3. Also, the router will only send messages with a  severity of warning or higher. The syslog server is on a machine with an  IP address of 192.168.0.30.
  Example 4-12. Router Configuration for Syslog
  Router-Dallas#
  Router-Dallas#config terminal
  Enter configuration commands, one per line. End with CNTL/Z.
  Router-Dallas(config)#logging 192.168.0.30
  Router-Dallas(config)#service timestamps debug datetime localtime show-timezone
     msec
  Router-Dallas(config)#service timestamps log datetime localtime show-timezone msec
  Router-Dallas(config)#logging facility local3
  Router-Dallas(config)#logging trap warning
  Router-Dallas(config)#end
  Router-Dallas#show logging
  Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
      Console logging: level debugging, 79 messages logged
      Monitor logging: level debugging, 0 messages logged
      Buffer logging: disabled
      Trap logging: level warnings, 80 message lines logged
          Logging to 192.168.0.30, 57 message lines logged
  Configuring a Cisco Switch for Syslog
  To configure a Cisco CatOS-based switch for sending syslog messages  to an external syslog server, use the privileged EXEC mode commands  shown in Table 4-12.
  Table 4-12. Configuring a Cisco Switch for Syslog
  Step
  Command
  Purpose
  1
  Switch>(enable) set logging timestamp {enable | disable}
  Configures the system to timestamp messages.
  2
  Switch>(enable) set logging server ip-address
  Specifies the IP address of the syslog server; a maximum of three servers can be specified.
  3
  Switch>(enable) set logging server severity server_severity_level
  Limits messages that are logged to the syslog servers by severity level.
  4
  Switch>(enable) set logging server facility server_facility_parameter
  Specifies the facility level that would be used in the message. The default is local7.  Apart from the standard facility names listed in Table 4-1, Cisco  Catalyst switches use facility names that are specific to the switch.  The following facility levels generate syslog messages with fixed  severity levels:
  5: System, Dynamic-Trunking-Protocol, Port-Aggregation-Protocol, Management, Multilayer Switching
  4: CDP, UDLD
  2: Other facilities
  5
  Switch>(enable) set logging server enable
  Enables the switch to send syslog messages to the syslog servers.
  6
  Switch>(enable) Show logging
  Displays the logging configuration.
  Example 4-13 prepares a CatOS-based switch to send syslog messages at  facility local4. Also, the switch will only send messages with a  severity of warning or higher. The syslog server is on a machine with an  IP address of 192.168.0.30.
  Example 4-13. CatOS-Based Switch Configuration for Syslog
  Console> (enable) set logging timestamp enable
  System logging messages timestamp will be enabled.
  Console> (enable) set logging server 192.168.0.30
  192.168.0.30 added to System logging server table.
  Console> (enable) set logging server facility local4
  System logging server facility set to
  Console> (enable) set logging server severity 4
  System logging server severity set to <4>
  Console> (enable) set logging server enable
  System logging messages will be sent to the configured syslog servers.
  Console> (enable) show logging
  Logging buffered size: 500
  timestamp option: enabled
  Logging history size: 1
  Logging console: enabled
  Logging server: enabled
  {192.168.0.30}
  server facility: LOCAL4
  server severity: warnings(4
  Current Logging Session: enabled
  Facility            Default Severity          Current Session Severity
  cdp                 3                         4
  drip                2                         4
  dtp                 5                         4
  dvlan               2                         4
  earl                2                         4
  fddi                2                         4
  filesys             2                         4
  gvrp                2                         4
  ip                  2                         4
  kernel              2                         4
  mcast               2                         4
  mgmt                5                         4
  mls                 5                         4
  pagp                5                         4
  protfilt            2                         4
  pruning             2                         4
  radius              2                         4
  security            2                         4
  snmp                2                         4
  spantree            2                         4
  sys                 5                         4
  tac                 2                         4
  tcp                 2                         4
  telnet              2                         4
  tftp                2                         4
  udld                4                         4
  vmps                2                         4
  vtp                 2                         4
  0(emergencies)        1(alerts)              2(critical)
  3(errors)             4(warnings)            5(notifications)
  6(information)        7(debugging)
  Console> (enable)
  Configuring a Cisco ASA for Syslog >
  http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_syslog.html
  You can get a free copy of Syslog server from here
  http://www.kiwisyslog.com/free-edition.aspx
  Hope it helps!!
  Regards

• System and User Statuses Missing

  Hi All,
  Does anyone know what causes the system and user statuses to disappear on the main screen of the production order.  Normally we see all system statuses  and the current user status like this:
  Status     CRTD PRC  CSER BCRQ MANC SETC  REL
  User Status    ERR
  Some configuration must have changed because even though the statuses are in JEST, they are not displayed on the order.
  Status
  User Status 
  Thanks for the help,
  Malissa

  Malissa,
  Just a different thinking to see, whether we can get some clues.
  I would suggest you get into the order in the change mode,  try some minor changes may in terms of operation text etc...and try to save the order. if there are some missing stuff, I am sure now SAP would throw out the error lets take the leads from there on.
  Regards,
  Prasobh