TACACS+ Authentication For Cisco NAM

Similar Messages

• Check_ntlm_password:  Authentication for user ['name'] - ['name'] FAILED with error NT_STATUS_LOGON_FAILURE

  Hi,
  We are running a Mountain Lion Server with Open Directory / LDAPv3, as far as I can tell.  My responsibility is to get my CentOS 6.3 box running Samba v. 3.5.10-125.el6 to authenticate users against the ML / OD box.  I can ssh to the CentOS box OK and I can get Guest access to the Samba share to go OK too.  Also, the OD passwords on the LDAP server are set to 'Open Directory' so I guess that means that they are encrypted and the Samba server is set to send encrypted passwords.  But when a user tries to properly authenticate using either say via a Mac client Finder [Command-K], or smbclient, the Samba server will generate this message:
  check_ntlm_password:  Authentication for user ['name'] -> ['name'] FAILED with error NT_STATUS_LOGON_FAILURE
  (I am blanking out the user name on purpose).
  Of course there is more to the story, but those are the basics.
  Here are the relevant parts of my smb.conf.  FWIW, the CentOS / Samba box is called Jupiter.
  Thank you,
  NickZ
  [smb.conf]
  [global]
            display charset = UTF-8
            realm = SATURN.MCLEAN.HARVARD.EDU
            netbios aliases = ANL
            server string = Welcome To The Jupiter Samba Server Version 3.5.10-125.el6
            interfaces = lo, em1
            security = SERVER
            update encrypted = Yes
            password server = saturn.mclean.harvard.edu
            smb passwd file = /var/lib/samba/private/secrets.tdb
            passdb backend = ldapsam:ldap://saturn.mclean.harvard.edu
            passwd program = /usr/bin/passwd %u
            unix password sync = Yes
            lanman auth = Yes
            client NTLMv2 auth = Yes
            client use spnego principal = Yes
            kerberos method = system keytab
            log level = 2
            syslog = 3
            log file = /var/log/samba/log.%m
            max log size = 50
            name resolve order = host lmhosts wins bcast
            server signing = auto
            preferred master = Auto
            ldap admin dn = uid=DirAdmin,cn=users,dc=saturn,dc=mclean,dc=harvard,dc=edu
            ldap group suffix = cn=groups
            ldap passwd sync = yes
            ldap suffix = dc=saturn,dc=mclean,dc=harvard,dc=edu
            ldap ssl = no
            ldap user suffix = cn=users
            usershare allow guests = Yes
            idmap backend = ldap:ldap://saturn.mclean.harvard.edu
            idmap uid = 10000-20000
            idmap gid = 30000-40000
            cups options = raw
  [homes]
            comment = Home Directories
            read only = No
  [printers]
            comment = All Printers
            path = /var/spool/samba
            printable = Yes
            browseable = No
  [anl]
            comment = Main ANL Share
            path = /anl
            read only = No
            guest ok = Yes
            hide dot files = No

  Turns out a printer driver installed on an XP (even W2K(?)) was (apparently?) flooding the OS X SMB server to the point of collapse. Uninstalling the "HP Tools" part of the driver cleared it up. The printer is an HP LJ1300. I had downloaded the full driver from HP.com. I don't know if any/all these conditions need to be matched, but: the printer was on the network using an HP print server JetDirect EX Plus, and the computer(s) in question were connecting directly to it (not via a print server). It's been too long ago, but there were always several errors in the System Log (Win XP Event Viewer) that correlated with the errors on the OS X server.
  Proud to say that since that day (10+ months ago) I've not seen it happen again. whew.

• TACACS+ configuration for Cisco ASA

  I tired configuring TACACS+ configuration for ASA but unable to complete it. I have ACS 3.3 for all other Cisco Routers and Switches

  Leo,
  I was looking around and come across this post. It's very late, however, wanted to add my inputs for other community members.
  RSA Token/One-Time-Password support available with ASDM only in SINGLE ROUTED MODE. If you are in Single Routed Mode, you can do OTP with ASDM if you are running ASA 8.2+  with ASDM 6.2+.
  If the firewall is running in multi-context and transparent mode. It won't work. Below is the enhancement request that was filed for the same feature to be supported.
  CSCtf23419    ASDM OTP authentication support in multi-context and transparent modes
  With WLC is yet not possible and there is a enhancement request filed.
  CSCuf61598    WLC: Need ability to support multiple sessions via OTP authentication
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Certificate authentication for Cisco VPN client

  I am trying to configure the cisco VPN client for certificate authentication on my ASA 5512-X. I have it setup currently for group authentication with shared pass. This works fine. But in order for you to pass pci compliance you cannot allow aggresive mode for ikev1. the only way to disable aggresive mode (and use main mode) is to use certificate authentication for the vpn client. I know that some one out there must being doing this already. I am goign round and round with this. I am missing some thing.
  I have tried as I might and all I can get are some cryptic error messages from the client and nothing on the firewall. IE failed to genterate signature, invalid remote signature id. I have tried using different signatures (one built on ASA and bought from Godaddy, and one built from Windows CA, and one self signed).
  Can some one provide the instructions on seting this up (asdm or cli). Can this even be done? I would love to just use the AnyConnect client but I believe you need licensing for that since our system states only 2 allowed. Thank you for your help.                    

  Dear Doug ,
            What is asa code your are running on ASA hardware , for cisco anyconnect you need have Code 8.0 on your hardware with cisco anyconnect essential license enabled .Paste your me show version i will help you whether you need to procure license for your hardware . By default your hardware will be shipped with any connect essential license when you have order your hardware with asa code above 8.0 .
  With Any connect essential you are allowed to use upto total VPN peers allowed based on your hardware
  1)  What is the AnyConnect Essentials License?
  The Anyconnect Essentials is a license that allows you to connect up to your 'Total VPN Peers"  platform limit with AnyConnect.  Without an AnyConnect Essentials license, you are limited to the 'SSLVPN Peers' limit on your device.  With the Anyconnect Essentials License, you can only use Anyconnect for SSL - other features such as CSD (Cisco Secure Desktop) and using the SSLVPN portal page for anything other than launching AnyConnect are restricted.
  You can see your limits for the various licensing by issuing the 'show version' command on your ASA.
  Licensed features for this platform:
  Maximum Physical Interfaces    : Unlimited
  Maximum VLANs                  : 150      
  Inside Hosts                   : Unlimited
  Failover                       : Active/Active
  VPN-DES                        : Enabled  
  VPN-3DES-AES                   : Enabled  
  Security Contexts              : 2        
  GTP/GPRS                       : Disabled 
  SSL VPN Peers                  : 2        
  Total VPN Peers                : 750      
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled 
  AnyConnect for Cisco VPN Phone : Disabled 
  AnyConnect Essentials          : Disabled 
  Advanced Endpoint Assessment   : Disabled 
  UC Phone Proxy Sessions        : 2        
  Total UC Proxy Sessions        : 2        
  Botnet Traffic Filter          : Disabled
  Licensed features for this platform:
  Maximum Physical Interfaces    : Unlimited
  Maximum VLANs                  : 150      
  Inside Hosts                   : Unlimited
  Failover                       : Active/Active
  VPN-DES                        : Enabled  
  VPN-3DES-AES                   : Enabled  
  Security Contexts              : 2        
  GTP/GPRS                       : Disabled 
  SSL VPN Peers                  : 2        
  Total VPN Peers                : 750      
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled 
  AnyConnect for Cisco VPN Phone : Disabled 
  AnyConnect Essentials          :  Enabled
  Advanced Endpoint Assessment   : Disabled 
  UC Phone Proxy Sessions        : 2        
  Total UC Proxy Sessions        : 2        
  Botnet Traffic Filter          : Disabled
  Any connect VPN Configuration .
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml

• EIGRP SHA Authentication for Cisco ASA

  Hi,
  I was just wondering if anyone knew if Cisco was going to implement EIGRP SHA authentication in to the ASAs? My organization is migrating from classic to named EIGRP for SHA authentication and right now I'm stuck at the ASA's. Static routing everything just to remove MD5 authentication doesn't sound very fun, if you know what I mean. :)
  Thanks!

  Hello Mohammad,
  I would recommend you to advertise them via EIGRP, better funcionality, escalability,etc,etc,etc.
  Regards

• Configuring TACACs Server for Cisco VPN 3000

  Does anyone know how to get to the configuration setting to specify a TACACs server?

  You need to be very careful when setting
  up this thing. If the AAA server is down
  for whatever reason, you will NOT be able to
  log into the Concentrator again. As far
  as the VPn3k console is concerns, it will
  let you login with the "admin" account,
  even though the AAA is up and running. In
  other words, you can login from console
  with both "admin" and AAA account at the same
  time.
  What a mess.

• With Cisco Secure ACS For Windows TACACS+, authentication fails with AD

    I am setting up a Cisco Secure ACS 4.2 server to act as a TACACS server for Switches and Routers  I am using Windows 2003 server for the ACS,
  and a Windows 2003 Active Directory server.  The AD server is fine, as it is used for many other things.
  I have set up ACS as defined nit he installation guide, including all the steps in the 'Member Server' section of the install guide
  when using AD as an external database (i.e. setting up the services to run with a domain admin account, setting up a machine called 'CISCO'
  on the domain etc).
  I've set the unknown user policy to use the Windows database if the internal database doesn;t contain the user details.
  If I add a user to the internal database, the authentication goes through fine, with an entry in the 'Passed Authentications' log,
  02/24/2010,05:07:03,Authen failed,eXXXX,Network Administrators(NDG) ,X.X.X.X,(Default),Internal error,,(geting error message as INternal Error)
  I've scoured google etc, and just cannot come up with any reason why this should be happening.
    I've followed all the install guides to the letter.  I need to get this up and running as soon as possible,
  so am looking forward to finding out if anyone can help me with this one!
  THanks and regards
  Sharan

  Hi  Jesse,
  Thasts a great answer and Soution.
  My previous version was 4.2 and it was installed on 64 bit machine hence getting internal Error.
  After this answer i have upgraded it to ACS4.2.1 and its started working fine
  Thanks very much for the help
  Dipu

• Problem setting 7606 router for TACACS+ authentication

  Hello Support Community,
  I have two Cisco 7606 routers which I have tried in vain to have users authenticated using TACACS+ servers. As shown below, I have two servers (1.1.1.1 and 2.2.2.2) reachable via vrf OAM which is reachable from desktops for ssh login. The true IP addresses and vrf have been altered because it's a company router.
  I use the two servers to authenticate many other Cisco devices in the network they are working fine.
  I can reach the servers from the vrf and the source interface in use. I can also telnet port 49 if the servers from the source interface and the vrf.
  The server key is hidden but at the time of configuration, I can ascertain that it's correct.
  The problem is that after confuring for TACACS authentication, the router still uses the enable password instead of TACACS. While the debug output shows 'bad password', why is the router not authenticating using TACACS? Why is it using the enable password?
  Please study the outputs below and help point out what I may need to change.
  PS: I have tried out many other combinations, including deprecated ones without success including the method suggested in this page;
  http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_vrf_tacas_svrs.html
  Please help I'm stuck.
  ROUTER#sh running-config | sec aaa
  aaa new-model
  aaa group server tacacs+ admin
  server name admin
  server name admin1
  ip vrf forwarding OAM
  ip tacacs source-interface GigabitEthernet1
  aaa authentication login admin group tacacs+ local enable
  aaa session-id common
  ROUTER#sh running-config | sec tacacs
  aaa group server tacacs+ admin
  server name admin
  server name admin1
  ip vrf forwarding OAM
  ip tacacs source-interface GigabitEthernet1
  aaa authentication login admin group tacacs+ local enable
  tacacs server admin
  address ipv4 1.1.1.1
  key 7 XXXXXXXXXXXXXXXXXXXX
  tacacs server admin1
  address ipv4 2.2.2.2
  key 7 XXXXXXXXXXXXXXXXxxxx
  line vty 0 4
  login authentication admin
  ROUTER#sh tacacs
  Tacacs+ Server -  public  :
                 Server name: admin
              Server address: 1.1.1.1
                 Server port: 49
                Socket opens:         15
               Socket closes:         15
               Socket aborts:          0
               Socket errors:          0
             Socket Timeouts:          0
     Failed Connect Attempts:          0
          Total Packets Sent:          0
          Total Packets Recv:          0
  Tacacs+ Server -  public  :
                 Server name: admin1
              Server address: 2.2.2.2
                 Server port: 49
                Socket opens:         15
               Socket closes:         15
               Socket aborts:          0
               Socket errors:          0
             Socket Timeouts:          0
     Failed Connect Attempts:          0
          Total Packets Sent:          0
          Total Packets Recv:          0
  Oct 22 12:38:57.587: AAA/BIND(0000001A): Bind i/f 
  Oct 22 12:38:57.587: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
  Oct 22 12:38:57.587: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
  Oct 22 12:38:57.587: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
  Oct 22 12:39:02.327: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
  Oct 22 12:39:02.327: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
  Oct 22 12:39:04.335: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
  Oct 22 12:39:04.335: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
  Oct 22 12:39:04.335: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
  Oct 22 12:39:08.675: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
  Oct 22 12:39:08.675: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
  Oct 22 12:39:10.679: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
  Oct 22 12:39:10.683: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
  Oct 22 12:39:10.683: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
  Oct 22 12:39:14.907: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
  Oct 22 12:39:14.907: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
  ROUTER#sh ver
  Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1(3)S3, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2012 by Cisco Systems, Inc.
  Compiled Fri 30-Mar-12 08:34 by prod_rel_team
  ROM: System Bootstrap, Version 12.2(33r)SRE, RELEASE SOFTWARE (fc1)
  BOOTLDR: Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1(3)S3, RELEASE SOFTWARE (fc1)
  ROUTER uptime is 7 weeks, 5 days, 16 hours, 48 minutes
  Uptime for this control processor is 7 weeks, 5 days, 16 hours, 49 minutes
  System returned to ROM by reload (SP by reload)
  System restarted at 20:00:59 UTC Wed Aug 28 2013
  System image file is "sup-bootdisk:c7600rsp72043-advipservicesk9-mz.151-3.S3.bin"
  Last reload type: Normal Reload
  Last reload reason: power-on
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  Cisco CISCO7606-S (M8500) processor (revision 1.1) with 3670016K/262144K bytes of memory.
  Processor board ID FOX1623G61B
  BASEBOARD: RSP720
  CPU: MPC8548_E, Version: 2.1, (0x80390021)
  CORE: E500, Version: 2.2, (0x80210022)
  CPU:1200MHz, CCB:400MHz, DDR:200MHz,
  L1:    D-cache 32 kB enabled
          I-cache 32 kB enabled
  Last reset from power-on
  3 Virtual Ethernet interfaces
  76 Gigabit Ethernet interfaces
  8 Ten Gigabit Ethernet interfaces
  3964K bytes of non-volatile configuration memory.
  500472K bytes of Internal ATA PCMCIA card (Sector size 512 bytes).
  Configuration register is 0x2102

  In order to resolve this issue. Please replace the below listed command
  aaa authentication login admin group tacacs+ local enable
  with;
  aaa authentication login default group admin local enable
  You defined the server group name as method list and instead of using admin as a server-group, you used tacacs+
  Note: Please ensure you have local user and enable password configured in case of tacacs server unreachable.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• How to use tacacs+ authentication to assign a group policy at login in Cisco ASA

  Hi everyone
  As title, anyone knows how it works?
  I only found it can work with LDAP authentication, but not in TACACS+
  http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html#noaccessgp
  please give me a hand, thanks.

  Hi Karten,
  I have the similar requirement and I used the ACS and configure Auth profile and map the RADIUS class (25) value as ASA group-policy name (even tried with tunnel-group name), but it does not work. It allows whatever vpn group that user select regardless of the user groups he belongs to.
  I use two ACS local users and put them in two different groups and maped those two groups with two different Access rules in the ACS and pointed to correct Auth profile etc.
  I am not sure what could be the issue and appreciate if you can advise.
  thanks in advance.

• Using ACS for Cisco Prime authentication

  I'd like to use our Tacacs server running ACS to be the authentication method for user accounts in Prime, but don't even know where to start with this..
  Any pointers?

  The configuration on the Prime Infrastructure side is minimal:  define the authentication server Prime is to use and select a mode for Prime Infrastructure to use with it.
  Administration > AAA > TACACS+ Servers > add tacacs server.
  Administration > AAA > AAA Mode Settings > tacacs+ and enable fallback to local.
  The bulk of the configuration is on the authentication server side, particularly indefining groups, services and authorization tasks.  This is covered in the "Performing Administrative Tasks" chapter of the Prime Infrastructure Configuration Guide, starting with the topic "Configuring ACS 5.x"
  http://www.cisco.com/en/US/docs/wireless/prime_infrastructure/1.3/configuration/guide/admin.html#wp1595935
  "Configuring ACS 4.x"
  http://www.cisco.com/en/US/docs/wireless/prime_infrastructure/1.3/configuration/guide/admin.html#wp1625896
  https://supportforums.cisco.com/docs/DOC-17909
  In case it doesn't work, please get the logs from the ACS reports and monirtoring for tacacs authentication and error message while accessing cisco prime.
  Jatin Katyal
  - Do rate helpful posts -

• Device Name for Cisco Jabber

  I found a document on Jabber Developer that explains all steps for the Cisco Jabber CUCM Setup Guide (http://developer.cisco.com/web/jabber-developer/jabber-sdk-cucm-guide), the phone type must be Cisco Unified Client Services Framework, everything fine, but says that the Device Name should be as ECP<username> when original setup guides says that must be as CSF<username>.
  My users setup Device Name are as CSF<username>, but just to follow a best practice, should I change all Device Names to ECP<username>??
  Regards,
  Juan Carlos Arias

  There's another thread on which someone mentioned some problems when using ECP for device name. Windows for jabber method of operation is the name of it. Do you have any configs using ECP??
  Since I already have this in m lab working as expected i'll configure a couple of users with ECP and see if something changes, just wondering if you have something configured with ECP already.
  Sent from Cisco Technical Support iPad App

• Tacacs authentication fails for one user account for only one switch

  Hi,
  I am having an scenario, where as Tacacs authentication fails for one user account for only one switch.
  The same user account works well for other devices.
  The AAA configs are same on every devices in the network.
  Heres the show tacacs output from the switch where only one user account fails;
                Socket opens:        157
               Socket closes:        156
               Socket aborts:        303
               Socket errors:          1
             Socket Timeouts:          2
     Failed Connect Attempts:          0
          Total Packets Sent:       1703
          Total Packets Recv:       1243
            Expected Replies:          0
  What could be the reason ?
  No errors on ACS server; same rights had been given to the user account.
  Thanks to advise.
  Prasey

  Hi there,
  Does the user get authenticated in the ACS logs?
  reports and activity----> failed attempts
  ro
  reports and activity----->  passed authentications
  That will help narrow it down.
  Brad

• Support for Cisco VPN "mutual group authentication"

  Hi,
  Does anyone know of support plans for Cisco VPN mutual group authentication in the built-in VPN client on MacOSX?
  Thanks,
  John

  I would like to know the answer to this as well.
  Thanks,
  Josh

• Radius authentication for privileged access

  Hello,
            I have configured Cisco 6513 for radius authentication with following commands.
  aaa new-model
  aaa authentication login authradius group radius line
  aaa accounting exec acctradius start-stop group radius
  radius-server host <radius-ip> auth-port 1812 acct-port 1646 key 6912911
  line vty 0 4
  accounting exec acctradius
  login authentication authradius
       This is working pretty fine. I want to configure radius authentication for priviledged access / for enable access.
       I am using TeKRadius as Radius server.
       Please help.
  Thanks and Regards,
  Pratik

  Hi Pratik
  Sorry I mostly use only TACACS+ for AAA as it provides better granularity of access controls.
  You'll need to make some specific changes to your RADIUS config so that nominated users ( the ones you want to be able to go to enable mode ) get put straight into enable mode upon login.
  There's a guide here http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/ which details the steps if you're using the Microsoft IAS radius server - you should be able to figure out that changes you need to make to your own server from there.
  Nick
  Message was edited by: NickNac79 - Spelt the OP's name wrong, sorry.

• TACACS config for PIX & ASA

  I am struggling in configuring the TACACS configure to allow authentication via Cisco ACS, I could able to configure for switches 2950,3750 but not with ASA & PIX, can any let me know the configs?

  I am actually looking for a similar command which I used on the Cisco 2950/3750
  aaa new-model
  aaa authentication login default group tacacs+ enable local
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec default group tacacs+ if-authenticated
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  with this commands I could able to track the command what all the user has used, logs with the user name which I configured on TACACS, the command which you have sent me I could able to login with the TACACS user name "aaa-server TACACS+ host " but it is not accounting all the details like login & logout time, command what the user has issued etc..