TACACS+ configuration for Cisco ASA

Similar Messages

• How we archieve configuration for Cisco ASA 5500 series appliances

  Hi,
  We need to archieve configuration for Cisco ASA 5500 series appliances.
  We have Cisco works LMS 3.0.1.
  Device package installed is 4.2
  Any help would be appricated.
  Thanks in advance.
  Samir

  Hi ,
  Thanks for your answer.
  Right now we are using TACAS to login in to the ASA. That means we need single username and password to login via
  Cisoworks. Am I correct ?
  Waiting for your reply.
  thanks,
  Samir

• Is it recommend to have a vulnerability scan for Cisco ASA device.

  Dear everyone. 
  I have a doubt on vulnerability scan for Cisco ASA device. Currently we have a vulnerability for network devices include firewall. But after run the vulnerability scan for cisco ASA, found nothing show in the scan report. 
  Is it recommend to have a vulnerability scan for Cisco ASA and will it be defeat the purpose of firewall?

  Do I understand are you asking can you configure the ASA to allow an external user run a scan against the internal network?
  If so, the answer is generally no. The ASA will, by default, not allow any inbound connections (or attempted connections) that are not explicitly allowed in an inbound access-list (applied to the outside interface). In most cases there would also need to be network address translation (NAT) rules configured.
  If you had a remote access VPN, you could allow the external scanner to log in via that, Then they would then have the necessary access to scan the internal systems (assuming the VPN granted access to all the internal networks)

• RAID Configurations for Cisco servers

  Hi All,
  What is the RAID configuration for Cisco Appliance(Version 8.5) like CUCM, CUPS, CUIC, Unity etc?RAID Configuration will be done while installtion itself or we need to do it explicitly?
  Regards,
  Adithya

  Hi Geoff,
  Thanks for the reply. Just wanted to know whether if this RAID configuartion is similar to the other server RAID where we install Cisco applications.(Like OS & Application Software is RAID 1 and Database is RAID10).
  Regards,
  Adithya

• Cisco works LMS 3.0.1 cannot archieve configuration for cisco 3000 series vpn concentrator

  Hi All,
  Our problem is, we have Cisco Works LMS 3.0.1. cannot archieve configuration for cisco 3000 series vpn concentrator.
  Any help would be greatly appreciated.
  Thanks in advance.
  Samir

  Make sure you have filled out all of the HTTP/HTTPS credential data in DCR for these devices.  RME will only use HTTPS to fetch VPN concentrator configurations.

• Cisco works LMS 3.0.1 does not archiever configuration for cisco 7201 router

  Hi All,
  We have Cisco works LMS 3.0.1 and it does not archiever configuration for cisco 7201 router.
  Any help would be appriciated.
  Thanks in advance
  Samir

  Hi,
  *** Device Details for d0151-100 ***
  Protocol ==> Unknown / Not Applicable
  Selected Protocols with order ==> TFTP,SSH,HTTPS
  Execution Result:
  Unable to get results of job execution for device. Retry the job after increasing the job result wait time using the option:Resource Manager Essentials -> Admin -> Config Mgmt -> Archive Mgmt ->Fetch Settings
  This is the error while doing syn archieve.
  I am not sure about Rtr7000 version but we have latest Rtr7000.
  Waiting for your kind reply.
  Samir

• Interactive Commands in NetConfig for Cisco ASA

  Hi,
  Maybe anyone knows, does CiscoWorks LMS supports this feature for Cisco ASA or I'm doing something wrong? I've sent interactive command "copy tftp: flash: <R>ip_address<R>asa841-k8.bin<R><R>"  to my ASA using netconfig tool and recived error "Command(s) failed on the device Insufficient no. of interactive responses(or timeout) for command: copy tftp: flash: ." For Cisco Catalyst it works fine. I have a last version of CiscoWorks 4.0.1.

  No, SWIM doesn't support ASDM upgrades, but what you're doing here is a system software upgrade.  What you might try doing is to increase the telnet timeout for this device.  Unfortunately, that feature is hidden in LMS 4.0, but see this document on how to do that:
  https://supportforums.cisco.com/docs/DOC-15162
  The document talks about inventory collection, but the interface to adjust the telnet timeout is in the same location as the SNMP timeout.  You'll want to time the transfer to know how long to make the timeout.

• Security monitoring tool for Cisco ASA

  Please suggest a checp and best security monitoring tool for Cisco ASA devices.

  You can use ossec, open source tool installed on linux:
  http://www.ossec.net/

• TACACS config for PIX & ASA

  I am struggling in configuring the TACACS configure to allow authentication via Cisco ACS, I could able to configure for switches 2950,3750 but not with ASA & PIX, can any let me know the configs?

  I am actually looking for a similar command which I used on the Cisco 2950/3750
  aaa new-model
  aaa authentication login default group tacacs+ enable local
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec default group tacacs+ if-authenticated
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  with this commands I could able to track the command what all the user has used, logs with the user name which I configured on TACACS, the command which you have sent me I could able to login with the TACACS user name "aaa-server TACACS+ host " but it is not accounting all the details like login & logout time, command what the user has issued etc..

• Maximum number of connection profiles and group policies for Cisco ASA

  Hi,
  We have a Cisco ASA 5520 running 8.0(2) that we use only for Remote Access VPN.
  Does anyone know how many connection profiles and group policies that are supported on the box? I have not been able to find this in the manual.
  Thanks in advance for your help!
  Best regards,
  Harry

  There is no limit for connection profiles or group policies that can be configured on ASA. However the numbers do depend upon the memory available in the device as the profiles are stored in memory during execution.

• TACACS+ Authentication For Cisco NAM

  Hi All,
  I have an cisco ACS v5.1 and also a cisco NAM. Currently, I have configured TACACS+ on the NAM and the ACS v5.1 however when I try to access the NAM, the ACS v5.1 has an error message of "TACACS+ authentication ended with error" and I am not able to access the equipment.
  For your information, I have no problem with others equipment TACACS+ authentication with the same ACS.
  Please advise.
  Thks and Rgds

  Steven
  I would first suggest that you verify that your ACS has an appropriate and correct entry configured for the NAM as a client. Assuming that is correct then I would suggest that you check and verify that the NAM is originating its TACACS requests from the address that you configured for the client on the ACS and that the shared secret is the same on both devices.
  If those are correct then I would suggest to look in the Failed Attempts report of ACS and see if it provides a better identification of the problem.
  HTH
  Rick

• Cisco internet filtering for cisco asa 5515x

  hi all,
  i know either websense or smartfilter (btw, mcaffee is now not selling smart filter anymore) can be used in 5515x internet filtering but does cisco have it's own filtering software for its product?  please don't give an appliance, my company is small.
  I'm tempting to use the default CLI command but there's no reporting on it i think.  Can it provide reporting for user access?  If it yes, please provide on how to do that.
  thanks!

  I just installed the ASA CX (http://www.cisco.com/en/US/products/ps12521/index.html) onto my software module on the ASA 5512-X. All it required was a SSD and license for the software. If you know anything about the Ironport Web Security Appliances, ASA CX is basically the IronPort WSA running on the sw-module of the ASA.
  The on-box version of the reporting/configuration engine (Cisco Prime Security Manager "PRSM") is simple but effective. Longer-term storage and drill-down reports requires an appliance or VMware virtual machine with the full-blown PRSM.
  The neat thing about the CX is the ability to block not just domains, but drill down and block specific application features. Say you want to block Facebook Games but not Facebook itself, it is a simple configuration on the ASA CX.
  I believe there is also a cloud version of it you can purchase, but I'm not sure of the details.
  Good luck!

• Port Forwarding for Cisco ASA 5505 VPN

  This is the Network
  Linksys E2500 ---> Cisco ASA 5505 ---> Server
  I beleive I need to forward some ports to the asa to use the IPsec VPN I just setup. I had the SSL VPN working but only needed to forward 443 for that....I assume that IPsec tunnel is a specific port.
  Thank You

  For IPSec VPN, you need to port forward UDP/500 and UDP/4500, and remember to enable NAT-T on the ASA.
  Command to enable NAT-T on ASA:
  crypto isakmp nat-traversal 30

• Optimal configuration for Cisco E3000 Router

  Hi All,
  Following are the details of my current home network setup, I would like to hear more recommendations and drawbacks of this setup.
  ISP has provided with a Cisco  DPC3825 DOCSIS 3.0 Gateway which has 4 Ethernet ports and a wireless networking but only 2.4 GHz.. This router is connected to the cable CPE box to internet. I have enabled the Firewall features of this router and disabled the Wireless network. This has also the DHCP server running. 
  The Second router is a Cisco E3000 which supports 2.4 GHz / GHz wireless networking. Connection to gateway is made via the 1st Ethernet port of gateway and then to the Internet port of E3000 router. I have connected my wireless devices to E3000 with GHz wifi lan. This router also has the firewall activated and DHCP server running as well.
  Both routers have WEP2 Personal / AES security configured. Currently these two devices are on two different IP ranges ..etc gateway is 192.168.0.1 and e3000 is 192.168.1.1.
  The E3000 is primarily configured for my online video for TV (Panasonic Vireacast). Please let me know if this is the best configuration or any other possible options.
  Thanks,
  RG

  This configuration is called LAN to WAN configuration and this is the best configuration considering that you want to behave both the router as a router.
  Because the other confiuration would be LAN to LAN then you can only use 1 router as a router and 2nd router as a switch.
  http://www6.nohold.net/Cisco2/ukp.aspx?vw=1&docid=529c188bc0ee4f7da79ffc22f2be33ec_4579.xml&pid=80&r...
  The first configuration in the article is is LAN to LAN, scroll down the window for LAN to WAN configuration.

• Manually start RADIUS, Authentication and groups for Cisco ASAs

  I am testing moving a 10.7 server to 10.8.
  We have used RADIUS to authenticate VPN traffic on our Cisco ASAs in the past.  In the past Server Admin allowed for our ASAs to be added manually to the list of devices using the service.  With Server Admin being removed and the limited funtionality of automated addition of Airports to the system I have no GUI method to get our ASAs into the service.  The ability to tell RADIUS which groups are using the service is no longer available in the GUI as well.
  I have found the clients file in /etc/raddb and added our ASAs to the clients list.  I believe I have done this correctly in accordance with the instructions on the freeRADIUS website.
  I need help with:
  1- I was hoping someone knows how to manually tell RADIUS which groups are permitted to use the service.
  2- Can anyone tell me how to turn on RADIUS?  radiusconfig -start appears to only tell the system to keep it on after a restart if i understand the manual page.
  Thanks

  With David's suggestion I was able to get RADIUS running.  The following assumes that you are comfortable with Terminal and would be able to back up any files you edit.  Here is what I did to our fresh installation of 10.8 Server:
  In Terminal enter "sudo radiusd -Xx" which tries to turn RADIUS on and runs it with full logging of activity in the window.  The last line after this entry should be something similar to "Ready to process records."  In our new installtion there were errors relating to "instantiating" sql and the ready message never came.
  In Terminal enter "sudo pico /etc/raddb/radiusd.conf" and authenticate as needed.  Scroll down in the file to the section where there are "instantiate" items.  I commented out the SQL setup, by putting a # before the line that says "sql".  Save the file by pressing Control-O, press return to save in the default location, and press Control-X to get out of the editor.  I redid step number 1 twice and eventually RADIUS was running.  Removing SQL from RADIUS will assure that problems will arise if you plan to use Server.app to add AirPorts to the network in the future.  OS X Server adds its clients in an SQL database according to the programming notes in the .conf files.  I will only be using our Cisco ASAs so SQL is not relevant to our setup.
  Testing the running RADIUS server was easy as well.  In Terminal enter "sudo pico /etc/raddb/users" and authenticate as needed.  This file contains details for users if you wanted to add them manually to the RADIUS server.  For testing purposes I removed the # before a line referring to a user "steve."  I had to get RADIUS restarted to take up the new information about Steve.  I killed the process using Activity Monitor and reran step number 1.
  In Terminal I opened a new tab and entered "sudo radtest steve testing localhost 0 testing123 -t".  You should get back a positive authentication message.  Switching back to the original tab will show the output of the RADIUS server.
  Reverse the entry in step 3 by adding back the # to comment out the line about steve in the users file.
  RADIUS is now running and authenticating against its own users file.
  Now we need to add our ASAs to the RADIUS server so it knows that it can authenticate for them.  In Terminal enter "sudo pico /etc/raddb/clients.conf".  We added lines for our ASAs, following the samples in the code.  The information in the lines we added included a generic name for each ASA or device needing RADIUS type authentication, its IP address, and the shared secret for device authentication.
  Following David's advice from above I created the RADIUS sacl by entering in Terminal "sudo dseditgroup -q -o create -u <admin user> -P <admin password> -n . com.apple.access_radius".  This created the sacl for the service.  Editing of the associated users and groups permitted to use the service was able to be done in Server.  Be sure to select from the View menu "Show system accounts".  Selecting "Groups" from the left margin of the Server window will show all of the SACLs along with any groups you have created.  The RADIUS sacl can then have groups and users added to it.
  To ensure that RADIUS is running and stays running enter the following in Terminal.  First, "sudo radiusd.conf" will start RADIUS without logging in the Terminal window.  Then, "sudo radiusconfig -start" to tell the system to keep it running and also run after a reboot.
  I made no changes to our ASA settings and found that I was able to authenticate the "Steve" user from the RADIUS test in the ASA.  I was also able to authenticate a user which had been added to the "Users" in Server.  It appears that the ASA will be permitted to authenticate Open Directory users without additional setup.
  I now need to set up our user groups to match those we use in our 10.7 server and add them to the RADIUS SACL and we should be set.
  Once I have everything running properly, I will add a post here to close this discussion.
  If anyone can shorten this procedure please let us know what you suggest.
  -Erich