Tacacs+ and User EXEC mode
I am running tac_plus on linux. I have basic configs in place and operating, but every time I telnet into a device I am presented with the User Exec prompt (router>) and I have to issue the enable command. I want to get set up so that I go straight to my aaa authentication username prompt. My aaa config is:
aaa new-model
aaa authentication login default group tacacs+ none
aaa authentication enable default group tacacs+ enab
aaa authorization config-commands
enable secret xxxx
TIA,
John
John
I have a couple of comments/questions about your situation.
- have you got a TACACS server configured on the router? if so could you post that part of the config also?
- is there any sign on the TACACS server that it is getting any authentication request from the router?
- with this configuration I am surprised that you can access the router. when you configure aaa authentication login default group tacacs+ none, the none means that there is no backup method and if you are not authenticated by the server, I would expect that you would be denied access to the router. I would suggest that it would be better to use aaa authentication login default group tacacs+ line. This will give you the backup method of using the line passwords on console or vty ports.
- it is possible to configure a different authentication method on the console port or on the vty ports. could you post your configuration of the console and vty ports?
- it looks like there was a problem with cut and paste on the aothorization command. perhaps you could repost the config with the complete line.
- if you would run debug tacacs authentication and debug aaa authentication and post any output it might help figure out what is happening in your situation.
HTH
Rick
Similar Messages
-
ACS 4.2 authentication and Privelged exec mode on Test Router.
The goal is to have ACS authenticate my username via ssh and allow me to get into privileged exec mode once authenticated. Details below.
I have ACS 4.2 Solution Engine and I have a test router with the following commands setup:
aaa new-model
aaa authentication login default group tacacs+ local
aaa session-id common
tacacs-server host 10.4.4.21 single-connection
tacacs-server key $#$&$*#
The problem is this. I can SSH and logon to the router which uses a user in the ACS database but the router will not allow me to use the enable command to get to exec mode. The error it gives me is:
AAA_ROUTER_CLIENT>enable
% Error in authentication.
AAA_ROUTER_CLIENT>
I must be missing something in the ACS. Any help would be appreciated.You are missing this command
aaa authorization exec default group tacacs+ if-authenticated
This is what you need on router
Router(config)# username [username] password [password]
tacacs-server host [ip]
tacacs-server key [key]
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
On ACS
Bring users/groups in at level 15
1. Go to user or group setup in ACS
2. Drop down to "TACACS+ Settings"
3. Place a check in "Shell (Exec)"
4. Place a check in "Privilege level" and enter "15" in the adjacent field
Regards,
~JG
Do rate helpful posts -
CISCO 700 and privileged EXEC mode
Hi!
I have a CISCO 765 and trying to connect to another 765 and the result of the dailing is
"L08 1 0498291725 Call Connected
Connection 11 Add Link 1 Channel 1
Connection 11 Remove Link 1 Channel 1
L13 1 Disconnecting Call
L27 1 Disconnected"
This dosent say so much so I need to enter the debug mode. But how do I do that on the 765?Are you getting any other error messages through the console. Try enabling "debug isdn q931" on the router and check for the reason the call is getting disconnected. Check which end is disconnecting the call. Whether it is the calling side or the called side. This will help in narrowing down the issue.
-
ACS 5.3 Different password for privilege exec mode
This is what I would like to do for our Core Routers. Not too familiar with ACS, so please excuse me if I don't provide you will all the details.
Right now I have ACS 5.3 which is tide to Active Directory. When a user logs in they use there AD credentials to access the CLI and use that same password to access privileged exec mode.
What I want to do is have users log in using their AD credentials like normal but have a unique password to access privileged exec mode, different for each user.
So far this is what I have done:
1) Created a test user (same as AD user name) in the Internal Identity Store
Password Type: Internal Users
normal password set differently that Enable Password (I think Enable Password will only be relevant)
2) Created a rule under Access Policies > Device Admin - Commands > Identity
- Created Rule with Current Condition Set (TACACS+:Authen-Type match ASCII And (TACACS+:Action match Login AND TACACS+Service match Enable))
- Identity Source: Internal Users
When I enable the rule. I can login with my AD credentials, but when I try to access privilege exec mode the password that I created for the local user (regular and enable) does not work.
Question: Do I need to create a shell profile with Maximum privilege value set to something under 15 for the authorization policy and apply it so it will try and use the internal user's enable password?
Not to familiar with how this works. One of my co-workers said I needed to demote the users in order for my rule to work.Hey Tushar,
That is our current setup. Right now each user logs in with their AD credentials to get into user exec mode and the same password to get into privileged exec mode. I would like to have a user login with their normal AD credentials to get into user exec mode and a different password (specific to each user, not locally on the device) to login to privileged exec mode. We are doing this for security reasons. Hopefully that clarifys what I'm trying to do.
Thanks -
Does ISE 1.1 support TACACS and H-REAP?
Hello,
Does ISE1.1 support TACACS/TACACS+ and H-REAP mode ?
Also, customer wants to have quick access to the corporate network with some few laptops without going through the Actice Directory? Any suggestion on this?
Thanks
OluEAP-TLS does not rely on AD.
CA root cert is installed on ACS for trust and identity.
you can elect to Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active Directory
Users and Identity Stores >
Certificate Authentication Profile >
Edit: "CN Username"
see the checkbox at the bottom.
I do EAP TLS machine auth only without integrating AD into the policy at all.
hth,
jk -
Allow privilleged users to enter into EXEC mode on login not working with public keys
Hi,
I have recently updated one of my Cisco ASA to v9.2(1) and noticed a function to get the perform authorization for exec shell access can do a auto-enable when logging in from ssh.
The problem is that if I use a private/public key authentication with a user it won't do the auto-enable feature. If I login without keys and using my password, it jumps into privilleged exec mode as it should.
Anyone else had this issue?
Config:
aaa authentication ssh console LOCAL
aaa authorization exec LOCAL auto-enable
username user password xxxxxx encrypted privilege 15
username user attributes
ssh authentication publickey 22:af:xxxxxx hashed
Any answer will be highly appreciated.
P.S I'm totally new in this forum.Would you be able to open a TAC SR and once you do , Email me the SR no and i will look into this issue.
[email protected]
Thanks and Regards,
Vibhor Amrodia -
Hi,
I have a telerik rad popup window performing some input operation. The problem is when I use the configuration in IE as Document mode: 10 and User
agent String: Internet Explorer 8, scroll bars appear in the window from nowhere. It is working fine with every other configuration of IE. I've also used a separate stylesheet for IE 8 but it won't apply in this case.
Here are the screen shots of the window.
Actual view
With Scorllbar
Please if anybody could suggest a solution for this weird problem it would be a great help.
Thanks in advance.
NeeleshHi,
It seems we need to talk with the site developers to determine how the sheet would display with different IE user agent string.
Regarding the user agent string changes, please take a check with the following article:
Introducing IE9’s User Agent String
The Internet Explorer 8 User-Agent String (Updated Edition)
Hope this may help
Best regards
Michael Shao
TechNet Community Support -
Unable to enter to user Privilege EXEC Mode with catalyst 1900
Hello
I am setting up some lab network . I have 10 Cisco 1900 series switches . But when i try to power up it shows the below message. I am not able to get into user privilege mode.
Catalyst 1900 Management Console
Copyright (c) Cisco Systems, Inc. 1993-1997
All rights reserved.
Ethernet address: 00-C0-1D-81-43-65
1 user(s) now active on Management Console.
Enter password:
Catalyst 1900 - Main Menu
[C] Console Password
[S] System
[N] Network Management
[P] Port Configuration
[A] Port Addressing
[D] Port Statistics Detail
[M] Monitoring
[V] Virtual LAN
[R] Multicast Registration
[F] Firmware
[I] RS-232 Interface
[U] Usage Summaries
[H] Help
[X] Exit Management Console
Enter Selection:
could you pls tell me how can i get into the user mode such as
Switch1#
Thanks
NavazThere were two versions of software for the 1900 series switches, one that purely menu based configuration and management and the Enterprise version, which had an option to exit the menu and get access to a CLI. Note though that this is not Cisco IOS.
There's a post, Catalyst 1900 Enterprise software, on the forum from 2002 that will give you some more details. As indicated in that post there's an option to upgrade to the Enterprise edition, but you obviously need to acquire the software.
As per the reponses from Richard and Leo, these are very old switches and depending upon what you're trying to do with them, may not serve your purpose.
Regards -
Symptom
RD License server is a key component of RDS. It licenses users to access RDS servers.
After purchase the required RDS CALs, we need to activate the RDS License server and install the purchased RDS CALs. However, during the installation or after installation, we may face errors
about RDS License.
In most cases, the following error may occur.
Error:
The Remote Desktop Session Host server is in Per User licensing mode and No Redirector Mode, but license server "Server name" does not have any installed licenses with the following
attributes:
Product version: Windows Server 2012
Licensing mode: Per User
License type: RDS CALs
Troubleshooting
1. Check whether the RD License Configuration is configured properly and there are no Warnings in the Event.
2. The License Server should be part of 'RD Server License' group in Active Directory Domain Services.
3. Check if the Licensing Mode is correct.
- To change the Licensing Mode we can use RD Licensing diagnose, PowerShell cmdlet and Group Policy.
Via PowerShell cmdlet:
To change the licensing mode on RDSH/RDVH:
$obj = get-wmiobject -namespace "Root/CIMV2/TerminalServices" Win32_TerminalServiceSetting
$obj.ChangeMode(value)
# Value can be 2 - per Device, 4 - Per user
Via Group Policy
Path: Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Licensing
Use the specified RD license servers = FQDN of server name
Set the Remote Desktop licensing mode =
Per User
However, if issue persists, please provide detailed information and post the question in the
Remote Desktop Services (Terminal Services) forum.
Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.Hi Richard,
You need to uninstall Remote desktop session host feature. After removing it, you will default two connections which does not need to purchase RD CALs'.
Thanks,
Umesh.S.K -
Internet Explorer 11 - Emulation Document Mode and User Agent String Drop Down Menu Blank
Hey
I have a user who has a problem with Internet Explorer 11 where when you go to emulation mode using F12, the Document Mode and User Agent String Drop Down Menu are both blank. On our internal website its works correctly but on all other external websites
they are both blank.
I have had a look at the link below but this did not help as it would not recreate some of the registry keys.
http://answers.microsoft.com/en-us/ie/forum/ie11-iewindows8_1/document-mode-and-user-agent-string-dropdowns/cd34d5f8-7839-4083-af55-05d49ba85190?rtAction=1387560713451
CharlieHi,
Please include links to any websites that you are having issues with your questions.
There are some known reasons why the documentMode dropdown appears blank...
not all websites though should have the conditions for this.
f12>Console tab, refresh the page to show suppressed error messages and warnings... (documentMode x-ua toggling is listed)...
IE11 includes improvements for XSS... to link to internet sites from your intranets you need to add those sites (If you really, really trust them) to the Trusted Sites list.
the developer console will list blocked xss requests.
by default IE11 runs in EPM.... in the Internet Zone, while it is not switched on for the intranet zone....
EPM only allows 64 bit Addons and ActiveX controls to run in the context of an IE tab...
so its highly likely that one of your Addons is causing the issue.
the first step in troubleshooting IE issues is to test in noAddons mode.
Regards.
Rob^_^ -
FWSM: AAA authentication using TACACS and local authorization
Hi All,
In our setup, we are are having FWSMs running version 3.2.22 and users are authenticating using TACACS (running cisco ACS). We would like to give restricted access ( some show commands ) to couple of users to all devices. We do not want to use TACACS for command authorization.
We have created users on TACACS and not allowed "enable" access to them. I have also given those show commands locally on the firewall with privilege level 1. and enabled aaa authorization LOCAL
Now , those users can successfully login to devices and execute those show commands from priv level 1 except "sh access-list". I have specifically mentioned this
"privilege show level 1 mode exec command access-list" in the config.
Is there anything i am missing or is there any other way of doing it?
Thanks.You cannot do what you are trying to do. For (default login you need to use the first policy matched.
you can diversify telnet/ssh with http by creating different aaa groups.
But still you will be loging in for telnet users (all of them) using one method.
I hope it is clear.
PK -
AAA, Tacacs+ and ACS
I'm trying to use ACS (v4.1) to authenticate admin to our Cisco switches and also restrict access to particluar commands for particular users, I've done a lot of research on this but can't find a complete doucment that goes through it step by step.
What I have so far on the switch is
enable secret 5 removed
username admin privilege 15 password 7 removed
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
The local admin logins in perfectly fine when the switch is not connected to the network.
When I connect the switch to the network and login using my AD credentials it works a treat.
When I try an login with a local ACS accout for testing which has Max Privilege for any AAA Client Level 1, Tacacs+ Settings Shell(exec) is ticked as is Privilege level and that's set at 1 also it logins in fine but when I try to go into exec mode it fails with errors below
% Error in authentication.
.Oct 25 14:19:20.288: %SYS-5-PRIV_AUTH_FAIL: Authentication to privilege level 15 failed by test on console
I don't want test to go into exec mode as level 15 I want it to go in as level 1 or some other level other than 15 so I can control what commands it has access to through ACS.
I'm at a loss to know why this isn't work so any help would be much appreciated.
Thanks
JonThe problem you are facing and the error you're seeing on ACS "max session exceeded" seems 2 different issues. I read that you don't wana try this with Max privilege and privilege level set to 15. However, if you want to restrict user to few commands on any IOS, that can't be done like this.
You need to have command authorization enabled on the switch and command set on the ACS > shell command authorization. This is pretty common feature that we use day in day out.
Yo need to set privilege level to 15 because we are using exec authorization on the switch and then follow this document.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
You would see few examples of read-only access and read-write access.
You may also let me know what all command you would like to allow for read-only access.
Please feel free to let me know if you need any further assistance.
~BR
Jatin Katyal
**Do rate helpful posts** -
Cisco ISE with TACACS+ and RADIUS both?
Hello,
I am initiating wired authentication on an existing network using Cisco ISE. I have been studying the requirements for this. I know I have to turn on RADIUS on the Cisco switches on the network. The switches on the network are already programmed for TACACS+. Does anybody know if they can both operate on the same network at the same time?
BobHello Robert,
I believe NO, they both won't work together as both TACACS and Radius are different technologies.
It's just because that TACACS encrypts the whole message and Radius just the password, so I believe it won't work.
For your reference, I am sharing the link for the difference between TACACS and Radius.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
Moreover, Please review the information as well.
Compare TACACS+ and RADIUS
These sections compare several features of TACACS+ and RADIUS.
UDP and TCP
RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a
TCP transport offers:
TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.
TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server.
Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running.
TCP is more scalable and adapts to growing, as well as congested, networks.
Packet Encryption
RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.
TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.
Authentication and Authorization
RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.
TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.
During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.
Multiprotocol Support
RADIUS does not support these protocols:
AppleTalk Remote Access (ARA) protocol
NetBIOS Frame Protocol Control protocol
Novell Asynchronous Services Interface (NASI)
X.25 PAD connection
TACACS+ offers multiprotocol support.
Router Management
RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.
TACACS+ provides two methods to control the authorization of router commands on a per-user or per-group basis. The first method is to assign privilege levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second method is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed.
Interoperability
Due to various interpretations of the RADIUS Request for Comments (RFCs), compliance with the RADIUS RFCs does not guarantee interoperability. Even though several vendors implement RADIUS clients, this does not mean they are interoperable. Cisco implements most RADIUS attributes and consistently adds more. If customers use only the standard RADIUS attributes in their servers, they can interoperate between several vendors as long as these vendors implement the same attributes. However, many vendors implement extensions that are proprietary attributes. If a customer uses one of these vendor-specific extended attributes, interoperability is not possible.
Traffic
Due to the previously cited differences between TACACS+ and RADIUS, the amount of traffic generated between the client and server differs. These examples illustrate the traffic between the client and server for TACACS+ and RADIUS when used for router management with authentication, exec authorization, command authorization (which RADIUS cannot do), exec accounting, and command accounting (which RADIUS cannot do). -
Cisco Devices Syslog monitoring and user monitoring tools
Can anyone help me how to monitoring syslog and users log (which command use specific user). if any software or hardware need for this purpose we will purchace it. note that our network running all cisco devices (router, switch, ASA etc) and more then 200 devices are in our network.
thanks.Configuring Cisco Devices to Use a Syslog Server
Most Cisco devices use the syslog protocol to manage system logs and alerts. But unlike their PC and server counterparts, Cisco devices lack large internal storage space for storing these logs. To overcome this limitation, Cisco devices offer the following two options:
Internal buffer— The device's operating system allocates a small part of memory buffers to log the most recent messages. The buffer size is limited to few kilobytes. This option is enabled by default. However, when the device reboots, these syslog messages are lost.
Syslog— Use a UNIX-style SYSLOG protocol to send messages to an external device for storing. The storage size does not depend on the router's resources and is limited only by the available disk space on the external syslog server. This option is not enabled by default.
TIP
Before configuring a Cisco device to send syslog messages, make sure that it is configured with the right date, time, and time zone. Syslog data would be useless for troubleshooting if it shows the wrong date and time. You should configure all network devices to use NTP. Using NTP ensures a correct and synchronized system clock on all devices within the network. Setting the devices with the accurate time is helpful for event correlation.
To enable syslog functionality in a Cisco network, you must configure the built-in syslog client within the Cisco devices.
Cisco devices use a severity level of warnings through emergencies to generate error messages about software or hardware malfunctions. The debugging level displays the output of debug commands. The Notice level displays interface up or down transitions and system restart messages. The informational level reloads requests and low-process stack messages.
Configuring Cisco Routers for Syslog
To configure a Cisco IOS-based router for sending syslog messages to an external syslog server, follow the steps in Table 4-11 using privileged EXEC mode.
Table 4-11. Configuring Cisco Routers for Syslog
Step
Command
Purpose
1
Router# configure terminal
Enters global configuration mode.
2
Router(config)# service timestamps type datetime [msec] [localtime] [show-timezone]
Instructs the system to timestamp syslog messages; the options for the type keyword are debug and log.
3
Router(config)#logging host
Specifies the syslog server by IP address or host name; you can specify multiple servers.
4
Router(config)# logging trap level
Specifies the kind of messages, by severity level, to be sent to the syslog server. The default is informational and lower. The possible values for level are as follows:
Emergency: 0
Alert: 1
Critical: 2
Error: 3
Warning: 4
Notice: 5
Informational: 6
Debug: 7
Use the debug level with caution, because it can generate a large amount of syslog traffic in a busy network.
5
Router(config)# logging facility facility-type
Specifies the facility level used by the syslog messages; the default is local7. Possible values are local0, local1, local2, local3, local4, local5, local6, and local7.
6
Router(config)# End
Returns to privileged EXEC mode.
7
Router# show logging
Displays logging configuration.
Note
When a level is specified in the logging trap level command, the router is configured to send messages with lower severity levels as well. For example, the logging trap warning command configures the router to send all messages with the severity warning, error, critical, and emergency. Similarly, the logging trap debug command causes the router to send all messages to the syslog server. Exercise caution while enabling the debug level. Because the debug process is assigned a high CPU priority, using it in a busy network can cause the router to crash.
Example 4-12 prepares a Cisco router to send syslog messages at facility local3. Also, the router will only send messages with a severity of warning or higher. The syslog server is on a machine with an IP address of 192.168.0.30.
Example 4-12. Router Configuration for Syslog
Router-Dallas#
Router-Dallas#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router-Dallas(config)#logging 192.168.0.30
Router-Dallas(config)#service timestamps debug datetime localtime show-timezone
msec
Router-Dallas(config)#service timestamps log datetime localtime show-timezone msec
Router-Dallas(config)#logging facility local3
Router-Dallas(config)#logging trap warning
Router-Dallas(config)#end
Router-Dallas#show logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Console logging: level debugging, 79 messages logged
Monitor logging: level debugging, 0 messages logged
Buffer logging: disabled
Trap logging: level warnings, 80 message lines logged
Logging to 192.168.0.30, 57 message lines logged
Configuring a Cisco Switch for Syslog
To configure a Cisco CatOS-based switch for sending syslog messages to an external syslog server, use the privileged EXEC mode commands shown in Table 4-12.
Table 4-12. Configuring a Cisco Switch for Syslog
Step
Command
Purpose
1
Switch>(enable) set logging timestamp {enable | disable}
Configures the system to timestamp messages.
2
Switch>(enable) set logging server ip-address
Specifies the IP address of the syslog server; a maximum of three servers can be specified.
3
Switch>(enable) set logging server severity server_severity_level
Limits messages that are logged to the syslog servers by severity level.
4
Switch>(enable) set logging server facility server_facility_parameter
Specifies the facility level that would be used in the message. The default is local7. Apart from the standard facility names listed in Table 4-1, Cisco Catalyst switches use facility names that are specific to the switch. The following facility levels generate syslog messages with fixed severity levels:
5: System, Dynamic-Trunking-Protocol, Port-Aggregation-Protocol, Management, Multilayer Switching
4: CDP, UDLD
2: Other facilities
5
Switch>(enable) set logging server enable
Enables the switch to send syslog messages to the syslog servers.
6
Switch>(enable) Show logging
Displays the logging configuration.
Example 4-13 prepares a CatOS-based switch to send syslog messages at facility local4. Also, the switch will only send messages with a severity of warning or higher. The syslog server is on a machine with an IP address of 192.168.0.30.
Example 4-13. CatOS-Based Switch Configuration for Syslog
Console> (enable) set logging timestamp enable
System logging messages timestamp will be enabled.
Console> (enable) set logging server 192.168.0.30
192.168.0.30 added to System logging server table.
Console> (enable) set logging server facility local4
System logging server facility set to
Console> (enable) set logging server severity 4
System logging server severity set to <4>
Console> (enable) set logging server enable
System logging messages will be sent to the configured syslog servers.
Console> (enable) show logging
Logging buffered size: 500
timestamp option: enabled
Logging history size: 1
Logging console: enabled
Logging server: enabled
{192.168.0.30}
server facility: LOCAL4
server severity: warnings(4
Current Logging Session: enabled
Facility Default Severity Current Session Severity
cdp 3 4
drip 2 4
dtp 5 4
dvlan 2 4
earl 2 4
fddi 2 4
filesys 2 4
gvrp 2 4
ip 2 4
kernel 2 4
mcast 2 4
mgmt 5 4
mls 5 4
pagp 5 4
protfilt 2 4
pruning 2 4
radius 2 4
security 2 4
snmp 2 4
spantree 2 4
sys 5 4
tac 2 4
tcp 2 4
telnet 2 4
tftp 2 4
udld 4 4
vmps 2 4
vtp 2 4
0(emergencies) 1(alerts) 2(critical)
3(errors) 4(warnings) 5(notifications)
6(information) 7(debugging)
Console> (enable)
Configuring a Cisco ASA for Syslog >
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_syslog.html
You can get a free copy of Syslog server from here
http://www.kiwisyslog.com/free-edition.aspx
Hope it helps!!
Regards -
System and User Statuses Missing
Hi All,
Does anyone know what causes the system and user statuses to disappear on the main screen of the production order. Normally we see all system statuses and the current user status like this:
Status CRTD PRC CSER BCRQ MANC SETC REL
User Status ERR
Some configuration must have changed because even though the statuses are in JEST, they are not displayed on the order.
Status
User Status
Thanks for the help,
MalissaMalissa,
Just a different thinking to see, whether we can get some clues.
I would suggest you get into the order in the change mode, try some minor changes may in terms of operation text etc...and try to save the order. if there are some missing stuff, I am sure now SAP would throw out the error lets take the leads from there on.
Regards,
Prasobh
Maybe you are looking for
-
Unwanted border around swf file in IE
Can anyone tell me why I am getting a border around my swf file with it is imbedded on a Html page and displayed in Internet Explorer on a PC? The swf acts as a link, (pointer becomes a finger), and when you click once in the swf area, the border dis
-
Cookbook on developing BSP applications
Hi, Is there any document on developing BSP applications?. If so can you please forward it to me. Thanks, Shailaja
-
After updating to 29 when I would check my plug-in status it would either not recognize a plug-in was outdated, or when it did, the update now button would redirect to the plug-in page I was on already. I have been going directly to the sites to upda
-
How to select blank as a first element in DropDownBox
Hi All, I have a problem with dropdown boxes. i want to set blank as first value in my dropdown box. SAP has provided with blank but i am using model node. i read about cardinalities and setLeadSelection. but my problem has not been solved. Can any g
-
Third Party Plug-Ins have disappeared on upgrade from CS4 to CS5
Hello Folks, I have recently upgraded from PS CS4 to CS5 and now, on looking through the Plug-Ins available fromthe Menu - Help - About Plug-In --, I see that my 3rd Party Plug-Ins (NOT the Plug-Ins which had previously been installed automatically b