Tacacs+ Setup on OpenBSD

Having some dificulties with creating the configuration file for the Tacacs4.0.4.
I have my test switch authenticating and authorizing, but am not able to figure out how to get the admins group to login directly to the privileged exec mode. Also when I configure
aaa authorization enable group tacacs+ enable
I am not able to authenticate, and have not been able to figure out how to do it for authorization to work. If I create a user = $enable$ with a password, all users get privilege level 15, and I dont want PL 15 at the vty login either.
This is pretty much the only thing I am stumped on, I have authorization and authentication working with the groups and individual users and also seperate command groups, my next step is accounting once I figure out how to create the darned log file in OpenBSD. :)
Here is my admin group
group = admin {
default service = permit
login = cleartext "test"
I want to put the exec and shell stuff under this group, and not under individual users.

If you want to authorize admin group directly to privilege mode, you can provide the following none authentication configuration.
aaa authentication enable default none.This will stop forcing authentication into the privilege mode.

Similar Messages

  • Loss of TACACS key after harddisk failure

    Our WAE/WAVEs in the field are configured for TACACS Autherntication. During harddisk failures we could not access the devices. The ACS logs a invalid TACACS secret. In running-config the "tacacs key ****" statement is missing.  The statement still could be found in the startup-config.
    Is the "tacacs key" statement dependent on the harddisk?

    Hello,
    The internal WAAS TACACS setup causes a vicious circle. Authentication is required to access a devices for troubleshooting. But Authentications fails with a strict TACACS policy. In the meanwhile we find out the we can access the WAVE/WAE  when  authentication failover is disabled. With this change the WAE switches to the backup authentication method even when the password is wrong. This workaround allows access during disk failure situations. The workaround is in conflict with a our security policy and we now are checking via TAC if the WAE behavior is a feature or a bug.
    Kind regards Peter

  • Tacacs authorization and Priv levels

    Hi
    I'm strugling with TACACS+ and priv levels, and hoping someone out there can help me solve an issue.
    So, in this enviroment we need the following:
    Read-only users
    Users with access to some configuration commands.
    Okay, the TACACS configuration for the read-only users looks like this:
    group = readonly-users {
       default service = deny
       cmd = show            
          permit running-config
          permit interface
          permit privilege
          permit vlan
          deny .*
       service = exec
          priv-lvl = 15
    # Note that priv lvl 15 has been set to allow the users to run the "show running-config", all other commands than the one mentioned is denied.
    The TACACS configuration for the Users with configuration access looks like this.
    group = restricted-user {
       default service = deny
       cmd = show
          permit interface
          permit vlan
          permit privilege
          deny .*
       service = exec
          priv-lvl = 7
    And the following has been configured on the switches to allow further configurations, these commands we had to enable after I had made the previous read-only user in tacacs:
    privilege interface level 7 switchport access vlan
    privilege interface level 7 switchport mode access
    privilege interface level 7 switchport voice vlan
    privilege configure level 7 interface
    privilege exec level 7 configure terminal
    privilege exec level 7 show running-config
    privilege exec level 7 write memory
    It all worked just fine, the read-only users only had access to the commands configured in TACACS. But when I configured the users with configuration access and enter the privilege commands on the switch it stopped working.
    Somehow the privilege commands on the switch applies to all privilege levels above lvl 7. Meaning that my read-only users with priv lvl 15, all commands exept show commands denied, they can suddenly enter priviledged exec mode because I allowed the priv lvl 7 users to enter it.
    This does not make sense to me, because I've read on cisco's HP that when configuring privilege level commands on the equipment, you allow only that level to access the command, and not all above.
    I hope someone can help me with this issue, and it should be solved in the TACACS configuration, because the TACACS server is controlling over 500 switches and routers. So it aint just a question of reconfiguring the switches, that would take the rest of 2011.
    I hope you guys know the answer to this.
    Thanks in advance.
    Kind regards

    Thanks for your answer.
    Well when I started to configure this TACACS setup, I tried to create 2 profiles with privilege level 15 and just allow/deny the different commands. But the thing is that you cannot allow all commands in the TACACS configuration. For example, you cannot give a user privilege level 15 and deny all commands, but allow the user to configure VLANs on interfaces, and duplex settings which is what I want the users to be able to do.
    That's why I needed to configure the commands to be accessable from privilege level 7 on the equipment.
    If only I could create a profile with privilege level 15 and give the user access to the commands he needs, and only those from the TACACS configuration file, that would make it allot easier, but that just aint the way TACACS works, unfortunately.

  • CiscoWorks Vs TACACS+ ??!! sw management problem--Pls help me out

    Hi Gurus,
    I have a query to ask on the software image management.Please help me out.
    There are many cisco devices in my client place, but only one device is creating a problem.
    it is 2950 catalyst switch. CiscoWorks is complaining that 'it has no image to import', when we run a job to fetch the image from the switch. but it has image under root directory of Flash. After going through RME troublshooting and tips , I came to know that the connection protocol is telnet and ssh. Then I add the following commands in TACACS+ (to allow CW2K) user which is a centralized authentication system for all user including CiscoWorks.
    Cisco has mentioned this error in following URL:
    http://www.cisco.com/en/US/products/sw/cscowork/ps2073/prod_troubleshooting_guide09186a008036dff2.html
    It looks like it is having difficulty to recognize the Flash (though it shows the files in the inventory) and at the same time, I am not sure whether the commands are complete.
    I allowed the following commands to be used by CiscoWorks through TACACS+:
    1. copy tftp flash
    2. copy flash tftp
    3. erase flash
    4. show version
    5. show flash
    Refer the URL: http://www.cisco.com/en/US/customer/products/sw/cscowork/ps2073/prod_troubleshooting_guide09186a008036dff2.html#wp1045599
    Screen shot of the error and Detailed inventory report of the device are attached here.
    Please help me out with your expertise whether it is a TACACS which is stopping CW2K to view the Flash and files? or it is a problem with CiscoWorks to see the Flash.

    This document describes the procedure to configure the CiscoWorks Hosting Solution Engine 1.8.1 (HSE) using ACS as a TACACS+/RADIUS authentication module.
    ACS TACACS+ Setup for HSE
    ACS RADIUS Setup for HSE
    On Cisco.com, see also the Administration chapter of the User Guide for the CiscoWorks Hosting Solution Engine 1.8.1.
    http://www.cisco.com/en/US/products/sw/cscowork/ps150/prod_connection_guide09186a00802b2bae.html

  • ACE - Setup AAA TACACS+ using CS Unix ACS

    Hi,
    I have setup AAA tacacs+ on ACE Admin context with RSA token. This is similar to AAA IOS setup.
    I can login but it does not allow me to do any commands.
    "show users", under Domain says I am logged in as "
    Network-Monitor default-domain".
    Any ideas how to get around and making myself as Admin group?
    Also is there any doco on setting AAA on ACE module using Cisco Secure For Unix ACS?
    Thanks
    Sanjay

    Hi,
    It did work as you suggested. I had to move user in [Root] as we have other Shell attributes in different groups.
    ct 16 15:18:29 c1 CiscoSecure: [ID 428912 local0.debug] DEBUG -
    Oct 16 15:18:29 c1 user = test2 {
    Oct 16 15:18:29 c1 service = shell {
    Oct 16 15:18:29 c1 set optional shell:Admin = "Admin Admin default-domain"
    Oct 16 13:18:29 c1 }
    Oct 16 13:18:29 c1 service = exec {
    Oct 16 13:18:29 c1 set optional shell:Admin = "Admin Admin default-domain"
    ACE-Admin/Admin# sh users
    User Context Line Login Time (Location) Role Domain(s)
    admin Admin pts/0 Oct 17 13:43 (127.0.0.71) Admin default-domain
    *test2 Admin pts/1 Oct 17 14:07 (a.b.c.d) Admin default-domain
    When I moved user in the support group with existing shell access configured, it dumps in network monitor mode. Maybe due to TACACS attribute inheritance. I did not want to stuff up existing support users.
    So I guess my option is to use RADIUS as login method.
    I am trying to get it going but the CS ACS Unix does not like :
    cisco-avpair = "shell:Admin=Admin default-domain;
    Oct 16 15:18:29 c1 radius = ACE_Admin_Pri {
    Oct 16 15:18:29 c1 check_items = {
    Oct 16 15:18:29 c1 200 = 1
    Oct 16 15:18:29 c1 }
    Oct 16 15:18:29 c1 reply_attributes = {
    Oct 16 15:18:29 c1 26 = "cisco-avpair=shell:Admin=Admin default-domain; "
    Oct 16 15:18:29 c1 6 = 6
    Oct 16 15:18:29 c1 }
    Oct 16 15:18:29 c1 }
    Now I get :
    [ID 901471 local0.warning] WARNING - RADIUS: Invalid attribute (1) in profile
    Oct 17 15:49:41 c1 CiscoSecure: [ID 347837 local0.warning] WARNING - RADIUS: Authenticate: from (10.17.1.4) -
    test2 failed
    It would be good to see if anyone else has tried this.
    sanjay

  • How to setup TACACS to drop a user directly into level 15 on ASA?

    Is there a way to drop a user directly into level 15 on ASA just like it on router/switch, meanwhile keep its username as original (don't change to enable_15)?

    You can't do that, it's considered a second level of security.
    Hope that helps.

  • Acs 4.2 :- router# test aaa group tacacs+ uid pwd .... works but not when authenticating

    I have setup ACS 4.2 and when I run
    router# test aaa group tacacs+ myuser mypasswd [ legacy | new-code]
                   Both options work fine
    But when I try and login, over telnet, the request reaches the aaa server, but returns fail !
    My commands are :-
    tacacs-server host xx.xx.xx.xx single-connection port 49
    tacacs-server key xxxxxxxxxxx
    aaa authentication banner ^CUnauthorized access forbidden^C
    aaa authentication username-prompt "Enter Username: "
    aaa authentication login default group tacacs+ local
    aaa authorization exec default group tacacs+ local
    I dont see the banner NOR the "Enter Username:" prompt.
    Also a debug aaa authentication and debug aaa subsys show that the request reaches AAA, but it simply returns fail
    I had the same issue in 5.1, but that was due to the tacacs+ single-connection not being set or something similar, and the error
    there was "shared secret does not match", on the AAA server logs
    I am still new to 4.2, so am still trying to determine where the log files are etc, but since it works with the test command, I cant
    seem to understand why it fails with telnet
    Any idea why this may be happning ?
    Thanks

    I tried both the sugestion.. no luck
    Below are th eoutput of debug, with some lines in BOLD to help you
    find interesting lines in the log output.
    Thanks
    fixeddemo#sh run | inc tacacs
    aaa authentication login default group tacacs+ local
    aaa authorization exec default group tacacs+ local
    ip tacacs source-interface FastEthernet0/1
    tacacs-server host 10.1.7.15
    tacacs-server key xxxxxxxxxx
    fixeddemo#sh debugging
    General OS:
      TACACS+ events debugging is on
      TACACS+ authentication debugging is on
      TACACS+ packets debugging is on
      AAA Authentication debugging is on
      AAA Subsystem debugs debugging is on
    fixeddemo#
    Jun 17 14:15:54.666: AAA/BIND(00000072): Bind i/f
    Jun 17 14:15:54.666: AAA/AUTHEN/LOGIN (00000072): Pick method list 'default'
    Jun 17 14:15:54.666: AAA SRV(00000072): process authen req
    Jun 17 14:15:54.670: AAA SRV(00000072): Authen method=SERVER_GROUP tacacs+
    Jun 17 14:15:54.670: TPLUS: Queuing AAA Authentication request 114 for processin
    g
    Jun 17 14:15:54.670: TPLUS: processing authentication start request id 114
    Jun 17 14:15:54.670: TPLUS: Authentication start packet created for 114()
    Jun 17 14:15:54.670: TPLUS: Using server 10.1.7.15
    Jun 17 14:15:54.670: TPLUS(00000072)/0/NB_WAIT/45585278: Started 5 sec timeout
    Jun 17 14:15:54.674: TPLUS(00000072)/0/NB_WAIT: socket event 2
    Jun 17 14:15:54.674: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
    Jun 17 14:15:54.674: T+: session_id 3123693045 (0xBA2FC5F5), dlen 24 (0x18)
    Jun 17 14:15:54.674: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
    Jun 17 14:15:54.674: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:10 (0xA
    ) data_len:0
    Jun 17 14:15:54.674: T+: user:
    Jun 17 14:15:54.674: T+: port:  tty515
    Jun 17 14:15:54.674: T+: rem_addr:  10.1.1.216
    Jun 17 14:15:54.674: T+: data:
    Jun 17 14:15:54.674: T+: End Packet
    Jun 17 14:15:54.674: TPLUS(00000072)/0/NB_WAIT: wrote entire 36 bytes request
    Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: socket event 1
    Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: Would block while reading
    Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: socket event 1
    Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: read entire 12 header bytes (expect
    16 bytes data)
    Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: socket event 1
    Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: read entire 28 bytes response
    Jun 17 14:15:54.674: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
    Jun 17 14:15:54.674: T+: session_id 3123693045 (0xBA2FC5F5), dlen 16 (0x10)
    Jun 17 14:15:54.674: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:10, data_len:0
    fixeddemo#
    Jun 17 14:15:54.674: T+: msg:  Username:
    Jun 17 14:15:54.674: T+: data:
    Jun 17 14:15:54.678: T+: End Packet
    Jun 17 14:15:54.678: TPLUS(00000072)/0/45585278: Processing the reply packet
    Jun 17 14:15:54.678: TPLUS: Received authen response status GET_USER (7)
    Jun 17 14:15:54.678: AAA SRV(00000072): protocol reply GET_USER for Authenticati
    on
    Jun 17 14:15:54.678: AAA SRV(00000072): Return Authentication status=GET_USER
    fixeddemo#
    Jun 17 14:15:58.794: AAA SRV(00000072): process authen req
    Jun 17 14:15:58.794: AAA SRV(00000072): Authen method=SERVER_GROUP tacacs+
    Jun 17 14:15:58.794: TPLUS: Queuing AAA Authentication request 114 for processin
    g
    Jun 17 14:15:58.794: TPLUS: processing authentication continue request id 114
    Jun 17 14:15:58.794: TPLUS: Authentication continue packet generated for 114
    Jun 17 14:15:58.794: TPLUS(00000072)/0/WRITE/47194394: Started 5 sec timeout
    Jun 17 14:15:58.794: T+: Version 192 (0xC0), type 1, seq 3, encryption 1
    Jun 17 14:15:58.794: T+: session_id 3123693045 (0xBA2FC5F5), dlen 10 (0xA)
    Jun 17 14:15:58.794: T+: AUTHEN/CONT msg_len:5 (0x5), data_len:0 (0x0) flags:0x0
    Jun 17 14:15:58.794: T+: User msg:
    Jun 17 14:15:58.794: T+: User data:
    Jun 17 14:15:58.794: T+: End Packet
    Jun 17 14:15:58.794: TPLUS(00000072)/0/WRITE: wrote entire 22 bytes request
    Jun 17 14:15:58.798: TPLUS(00000072)/0/READ: socket event 1
    Jun 17 14:15:58.798: TPLUS(00000072)/0/READ: read entire 12 header bytes (expect
    16 bytes data)
    Jun 17 14:15:58.798: TPLUS(00000072)/0/READ: socket event 1
    Jun 17 14:15:58.798: TPLUS(00000072)/0/READ: read entire 28 bytes response
    Jun 17 14:15:58.798: T+: Version 192 (0xC0), type 1, seq 4, encryption 1
    Jun 17 14:15:58.798: T+: session_id 3123693045 (0xBA2FC5F5), dlen 16 (0x10)
    fixeddemo#
    Jun 17 14:15:58.798: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
    Jun 17 14:15:58.798: T+: msg:  Password:
    Jun 17 14:15:58.798: T+: data:
    Jun 17 14:15:58.798: T+: End Packet
    Jun 17 14:15:58.798: TPLUS(00000072)/0/47194394: Processing the reply packet
    Jun 17 14:15:58.798: TPLUS: Received authen response status GET_PASSWORD (8)
    Jun 17 14:15:58.798: AAA SRV(00000072): protocol reply GET_PASSWORD for Authenti
    cation
    Jun 17 14:15:58.798: AAA SRV(00000072): Return Authentication status=GET_PASSWOR
    D
    fixeddemo#
    Jun 17 14:16:02.502: AAA SRV(00000072): process authen req
    Jun 17 14:16:02.502: AAA SRV(00000072): Authen method=SERVER_GROUP tacacs+
    Jun 17 14:16:02.502: TPLUS: Queuing AAA Authentication request 114 for processin
    g
    Jun 17 14:16:02.502: TPLUS: processing authentication continue request id 114
    Jun 17 14:16:02.502: TPLUS: Authentication continue packet generated for 114
    Jun 17 14:16:02.502: TPLUS(00000072)/0/WRITE/47194394: Started 5 sec timeout
    Jun 17 14:16:02.502: T+: Version 192 (0xC0), type 1, seq 5, encryption 1
    Jun 17 14:16:02.502: T+: session_id 3123693045 (0xBA2FC5F5), dlen 14 (0xE)
    Jun 17 14:16:02.502: T+: AUTHEN/CONT msg_len:9 (0x9), data_len:0 (0x0) flags:0x0
    Jun 17 14:16:02.502: T+: User msg:
    Jun 17 14:16:02.502: T+: User data:
    Jun 17 14:16:02.502: T+: End Packet
    Jun 17 14:16:02.506: TPLUS(00000072)/0/WRITE: wrote entire 26 bytes request
    Jun 17 14:16:02.550: TPLUS(00000072)/0/READ: socket event 1
    Jun 17 14:16:02.550: TPLUS(00000072)/0/READ: read entire 12 header bytes (expect
    6 bytes data)
    Jun 17 14:16:02.550: TPLUS(00000072)/0/READ: socket event 1
    Jun 17 14:16:02.550: TPLUS(00000072)/0/READ: read entire 18 bytes response
    Jun 17 14:16:02.550: T+: Version 192 (0xC0), type 1, seq 6, encryption 1
    Jun 17 14:16:02.554: T+: session_id 3123693045 (0xBA2FC5F5), dlen 6 (0x6)
    fixeddemo#
    Jun 17 14:16:02.554: T+: AUTHEN/REPLY status:2 flags:0x0 msg_len:0, data_len:0
    Jun 17 14:16:02.554: T+: msg:
    Jun 17 14:16:02.554: T+: data:
    Jun 17 14:16:02.554: T+: End Packet
    Jun 17 14:16:02.554: TPLUS(00000072)/0/47194394: Processing the reply packet
    Jun 17 14:16:02.554: TPLUS: Received authen response status FAIL (3)
    Jun 17 14:16:02.554: AAA SRV(00000072): protocol reply FAIL for Authentication
    Jun 17 14:16:02.554: AAA SRV(00000072): Return Authentication status=FAIL
    fixeddemo#
    [ The output below is for the next Username: prompt I believe]Jun 17 14:16:04.554: AAA/AUTHEN/LOGIN (00000072): Pick method list 'default'
    Jun 17 14:16:04.554: AAA SRV(00000072): process authen req
    Jun 17 14:16:04.554: AAA SRV(00000072): Authen method=SERVER_GROUP tacacs+
    Jun 17 14:16:04.554: TPLUS: Queuing AAA Authentication request 114 for processin
    g
    Jun 17 14:16:04.554: TPLUS: processing authentication start request id 114
    Jun 17 14:16:04.554: TPLUS: Authentication start packet created for 114()
    Jun 17 14:16:04.554: TPLUS: Using server 10.1.7.15
    Jun 17 14:16:04.554: TPLUS(00000072)/0/NB_WAIT/47194394: Started 5 sec timeout
    Jun 17 14:16:04.558: TPLUS(00000072)/0/NB_WAIT: socket event 2
    Jun 17 14:16:04.558: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
    Jun 17 14:16:04.558: T+: session_id 2365877689 (0x8D046DB9), dlen 24 (0x18)
    Jun 17 14:16:04.558: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
    Jun 17 14:16:04.558: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:10 (0xA
    ) data_len:0
    Jun 17 14:16:04.558: T+: user:
    Jun 17 14:16:04.558: T+: port:  tty515
    Jun 17 14:16:04.558: T+: rem_addr:  10.1.1.216
    Jun 17 14:16:04.558: T+: data:
    Jun 17 14:16:04.558: T+: End Packet
    Jun 17 14:16:04.558: TPLUS(00000072)/0/NB_WAIT: wrote entire 36 bytes request
    Jun 17 14:16:04.558: TPLUS(00000072)/0/READ: socket event 1
    Jun 17 14:16:04.558: TPLUS(00000072)/0/READ: Would block while reading
    Jun 17 14:16:04.562: TPLUS(00000072)/0/READ: socket event 1
    Jun 17 14:16:04.562: TPLUS(00000072)/0/READ: read entire 12 header bytes (expect
    43 bytes data)
    Jun 17 14:16:04.562: TPLUS(00000072)/0/READ: socket event 1
    Jun 17 14:16:04.562: TPLUS(00000072)/0/READ: read entire 55 bytes response
    Jun 17 14:16:04.562: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
    Jun 17 14:16:04.562: T+: session_id 2365877689 (0x8D046DB9), dlen 43 (0x2B)
    Jun 17 14:16:04.562: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:37, data_len:0
    Jun 17 14:16:04.562: T+: msg:   0x0A User Access Verification 0x0A  0x0A Usernam
    e:
    fixeddemo#
    Jun 17 14:16:04.562: T+: data:
    Jun 17 14:16:04.562: T+: End Packet
    Jun 17 14:16:04.562: TPLUS(00000072)/0/47194394: Processing the reply packet
    Jun 17 14:16:04.562: TPLUS: Received authen response status GET_USER (7)
    Jun 17 14:16:04.562: AAA SRV(00000072): protocol reply GET_USER for Authenticati
    on
    Jun 17 14:16:04.562: AAA SRV(00000072): Return Authentication status=GET_USER
    fixeddemo#

  • How can a mount a NFS share exported from OpenBSD?

    Hello Apple Discussions:
    I've been experimenting with NFS in a mixed OS environment, and have been successful exporting nfs share with tigerserver, and mounting it on both a powerpc linux system, and on a powerpc openBSD system.
    Likewise, I can export a NFS share from the linux powerpc box, and mount it on the openBSD box and on the tigerserver, although, the latter required using the options (ro,sync,insecure) in my exports file.
    However, when I export a share on the OpenBSD box, I can mount it on the linux box, but not on tigerserver.
    I would like for the OpenBSD box to export a NFS share securely, with read-write permissions, to the tigerserver.
    After reading so many tutorials, that it would be a page of links, just to list them all, I am pulling my hair out. However, I have found one thread that suggests, that perhaps what I'm trying to do is impossible:
    http://www.bsdforums.org/forums/showthread.php?t=54308
    Here it is suggested that the NFS won't work because tigerserver is not using UTF-8?
    I will have to say, that I was somewhat alarmed, that the only times I succeeded in mounting an nfs share exported from linux onto tigerserver, it was when the "insecure" option is used in the /etc/exports file. There doesn't seem to be an equivalent for the linux style exports option "insecure", in the bsd style options of --maproot=user:group1:group2.
    But I don't like using any options that say "insecure" anyways, so rather than trying to find out how to make openbsd "insecure", I would rather like to find out if there is a way to get tigerserver using UTF-8, at least when mounting NFS shares, if this is indeed the issue.
    Here are the more technical details. I've created a user on all sytems named "fives" with the userid of 5555 and the groupid of 5555. I made the user local user in the local net info domain, but I've tried it with an LDAP user as well. The folders I wish to export and the folders into which to mount them are all owned by user fives and group fives, and have permissions set to 0775. The ip addresses are OpenBSD=192.168.222.111 TigerServer=192.168.222.233 LinuxPPC=192.168.222.253. I've included the relevant NFS setup files and running processes below:
    ON THE OPENBSD BOX:
    #/etc/exports
    /fives -alldirs -network=192.168.222.0 -mask=255.255.255.0
    /exports/fives -mapall=fives:fives 192.168.222.233 192.168.222.253
    #/etc/hosts.deny
    ALL: ALL
    #/etc/hosts.allow
    ALL: 192.168.222.233 192.168.222.253
    #/etc/rc.conf.local
    portmap=YES
    lockd=YES
    nfs_server=YES
    #here's proof that the daemons are running on the OpenBSD box;
    rpcinfo -p localhost
    program vers proto port
    100000 2 tcp 111 portmapper
    100000 2 udp 111 portmapper
    100005 1 udp 863 mountd
    100005 3 udp 863 mountd
    100005 1 tcp 613 mountd
    100005 3 tcp 613 mountd
    100003 2 udp 2049 nfs
    100003 3 udp 2049 nfs
    100003 2 tcp 2049 nfs
    100003 3 tcp 2049 nfs
    100021 1 udp 895 nlockmgr
    100021 3 udp 895 nlockmgr
    100021 1 tcp 706 nlockmgr
    100021 3 tcp 706 nlockmgr
    # actually, I don't see statd, but haven't found the equivalent in openbsd. There's rpc.rstatd, and maybe it should be listed here, but there doesn't seem to be a way to launch it directly. This is a competitor with the UTF-8 theory about why it's not working.
    ON THE TIGER SERVER:
    # here's proof that tiger server sees the mounts:
    showmount -e 192.168.222.111
    Exports list on 192.168.222.111:
    /fives 192.168.222.0
    /exports/fives 192.168.222.233 192.168.222.253
    # here's the result of user fives' attempt at mounting a share:
    sudo mount -t nfs 192.168.222.111:/exports/fives /imports/fives
    mount_nfs: /imports/fives: Permission denied
    # yet user fives has no problem mounting same share on linuxppc box.
    What is different about OSX server? I thought it was supposed to speak NFS?
    ---argh... I'm steppin out for a pint.. Hopefully when I'm back it'll just work.

    One thing not mentioned is that if you decide on the multiple user approach, you can have your music folder in Shared Documents so you only store the tracks once.
    Each user is free to choose which of those tracks they want in their library.
    There is an Apple help article on multiple users.
    http://docs.info.apple.com/article.html?artnum=300432

  • TACACS Authorization of Web Interface on Aironet 1200 AP

    I have the Aironet 1200 AP setup to authenticate and perform authorization for the CLI via TACACS. That is working fine.
    However, the web interface is failing "ip http authentication". (Slight caveat - it works for a local user in the local AP DB - it does not work when it goes to CiscoSecure ACS to authenticate/authorize).
    I can get to some pages (prompt and pass authentication), but certain pages (e.g. Services>>SNMP) where configuration steps are taken cause a second prompt is presented, username and password is provided, and it fails.
    This is only evident from the output of a "debug ip http authentication"
    What do I need to configure in ACS to make this work?
    Relevant portion of config:
    aaa authentication login default group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authorization exec default group tacacs+ local
    no ip http server
    ip http authentication aaa
    ip http secure-server
    Sep 7 13:40:59.885: HTTP AAA picking up console Login-Authentication List name: default
    Sep 7 13:40:59.885: HTTP AAA picking up console Exec-Authorization List name: default
    Sep 7 13:40:59.909: HTTP: Authentication failed for level 15
    Sep 7 13:41:06.757: HTTP AAA picking up console Login-Authentication List name: default
    Sep 7 13:41:06.757: HTTP AAA picking up console Exec-Authorization List name: default
    Sep 7 13:41:06.780: HTTP: Authentication failed for level 15
    This document appears to describe a scenario similar to mine, but is for http - not HTTPS:
    Local Authentication for HTTP Server Users
    http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a0080178a51.shtml#tac-win
    Any ideas what I may be missing here?
    Thanks,
    Jeff

    I found the answer was to use a more specific "ip http authentication" statement. Specifically,it required the following:
    CiscoSecure ACS:
    Group Settings
    Shell (exec)
    Priv Level = 15
    On the AP:
    had to enable:
    ip http authentication aaa login-authentication AP_Web (Named Method List)

  • Help me Decide on OpenBSD or Solaris as my web and file server please

    Hi
    5 questions
    i have been using OpenBSD as my Web and file server for a while now
    and FreeBSD as my Desktop
    i decided on OpenBSD as my Server because of its Security
    1) But now i hear Solaris is the most Secure OS pn the Planet? is this true
    And which is real Unix?
    i seem to always have trouble with things such as PHP on OpenBSD
    Most of my pages run as *.html but i also have a forum which uses PHP 4
    But all my PHP pages come up blank..
    i am always encountering errors using PHP
    2) If i Switch to Solaris will it b even harder to use or
    is it precompiled with PHP 4 and higher when i install Apache
    3) Also what about cgi and the ability to use *.htaccess files should i use them
    4) Also i i still would like to generate SSH keys ssh-keygen
    is that possible?Forcing the user to login using only a key and
    not a password on SSH
    5) Does Solaris have any Linux compatibility as well?as FreeBSD has
    Concider me a newbie even though i use to post on this forum once before
    i am always experimenting trying new things out
    Message was edited by:
    heatherval

    Either will work just fine. Since you're asking in the Sun forums, you should receive more Solaris replies of course! :-)
    The weak point in your setup (as far as security goes) would be the use of PHP either way...

  • IP address sent to TACACS server

    Setup a TACACS server on out network to control console and telnet access to routers and switches. Most of our remote routers have multiple wan paths to the TACACS servers and may present a different IP address depending on which path is available or least busy. This causes an authentication failure that denies access to the equipment. Is there a way to configure the router to always send a specific address, either a loopback or internal LAN IP?

    Hi
    FYI,
    Device  Filter—Filters a network device (AAA client) that acts as a Policy  Enforcement Point (PEP) to the end station based on the network device's  IP address or name, or the network device group that it belongs to.
    The  device identifier can be the IP address or name of the device, or it  can be based on the network device group to which the device belongs.
    The  IP address is a protocol-agnostic attribute of type IPv4 that contains a  copy of the device IP address obtained from the request:
    –In a RADIUS request, if Attribute 4 (NAS-IP-Address) is present,  ACS obtains the IP address from Attribute 4; otherwise, if Attribute 32  (NAS-Identifier) is present, ACS obtains the IP address from Attribute  32, or it obtains the IP address from the packet that it receives.
    –In a TACACS request, the IP address is obtained from the packet that ACS receives.

  • LMS 3.2 Windows - 10 minute timeout while using TACACS+ Login Module

    Hello,
    we have changed our login module to TACACS+ (Non-ACS). All works fine when we use users which are set up in TACACS+. Using an account which does not exist (or only exists in CiscoWorks Local login module - even as fallback user) we register a timeout of 10 minutes until the login module fails the request (turned on Debugging and watching the stdout.log of tomcat). While running the backup.pl script it seems that the user "admin" tries to access the web server, but as this user is not set up in TACACS+ we have to wait 20 or more minutes until the backup starts. So, is there a way to set a timeout value for that login module?Is it known that the admin account is needed to perform the backup?
    Thanks and kind regards
    Allessandro

    This delay is coming from your TACACS server.  Can you shorten the authentication failure there?  As for the user ID, check your System Identity User under Common Services > Server > Security > System Identity Setup.  Make sure this use exists in the TACACS databases.

  • PIX authorization issue with TACACS+

    I have setup on a network
    PIX firewall(ver 6.3(5).
    aaa-server TACACS+ (inside) host 172.20.67.153 cisco123
    aaa accounting telnet console TACACS+ LOCAL
    aaa authentication telnet console TACACS+ LOCAL
    aaa authorization commands TACACS+
    I could able to login enable mode.
    But Iam getting Comamnd Authorization failed. If iam trying config t, show run which are allowed in PIX/ASA command authorization set in TACACS+.

    Hi friend,
    You could try the following:
    1) See the configuration of the user authorization on the ACS. Maybe there's a mistake when giving plivileges to the disired user.
    See these documents:
    http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/prod_configuration_examples_list.html
    2) Configure a local user and try to login wiht the local database. To do it, see the example bellow:
    username admin password xxxxxxxx encrypted privilege 15
    Hope it helps. If it does, please rate.
    Regards,
    Rafael Lanna

  • Cisco WCS 7.x TACACS+ with ACS 5.2

    Ok, so I took my bday off today so I could stay home and setup my lab for ie v2 and have the birthday wish of 'leave daddy alone for awhile' come true.  Here we are at 7:00pm and everything is flowing good including my blue moons and I decided to get tacacs working on an eval version of acs 5.2 per the ie list of lab equipment. frack me.  Instead of walking away and coming back later and going 'doh!', I'm going to whine instead....
    So I'm trying to get WCS to work with TACACS per this document:
    http://www.cisco.com/en/US/docs/wireless/wcs/7.0/configuration/guide/7_0admin.html#wp1191980
    However, after having to enter EVERY SINGLE TASK, once you get down to:
    Creating Service Selection Rules for TACACS
    To create service selection rules for TACACS, perform the following steps:
    Step 1 Choose Access Policies > Access Services > Service Selection Rules.
    Step 2 Click Create.
    Step 3 Select the protocol as TACACS and Service as Default Device Admin (see Figure 18-49).
    I'm alittle confused as to where it wants me to do click 'Create' at.  I of course did the 'hunt and peck' method and the only place I see where there is a 'create' buttong is under
    Access Policies >
    Access Services >
    Default Device Admin >
    Authorization
    but it's grayed out.  Someone wanna tell me what the crap.. and really, why 5.2 cisco.. why.

    Yeah, I've heard that, but in trying to stick with the IE list of used equipment/software I'm going for 5.2.  I've learned it's best to stick with the list so that you are not only familliar with that exact software, but that exact versions 'issues' as well.  No panic in the lab from ACS going NO NO NO, NOT IN MY HOUSE.

  • Prime Infrastructure 2.x tacacs+ with radiator

    Trying to setup Prime Infrastructure 2.x (2.2) to use Tacacs+.  The Tacacs service is running on a Linux server running Radiator(4.12).  With Radius and Radiator all we needed to do is define the user group and all the tasks associated with that group were inherited.  
    When configuring the TACACs configuration files have tried various permutations of adding the cisco-avpair(cisco-av-pair) reply attrs on authentication and/or authorization. When defining the group or using the individual tasks I get the following error message:
    "no authorization information found for remote authenttication user. please check the correctness of the associated task(s) and Virtual Domain(s) in the remote server"
    <ServerTACACSPLUS>
        Key SECRET
        Port 49
        GroupMemberAttr OSC-Authorize-Group
        # General Authorization rule format:
       AuthorizeGroup core-group permit protocol=HTTP service=NCS {cisco-av-pair="virtual-domain0=ROOT-DOMAIN" cisco-av-pair="role0=Super Users" }
    </ServerTACACSPLUS>

    It's not yet supported. Cisco doesn't generally publish roadmaps publicly for future support. The best you can do via public sources is to continue to watch the Supported Devices lists for updates.
    As of right now, here is a list of the current data center switches supported (in PI 2.1):
    Cisco Nexus 6004 Switch
    Cisco Nexus 5596T Switch
    Cisco Nexus 5010 Switch
    Cisco Nexus 5020 Switch
    Cisco Nexus 5020T Switch
    Cisco Nexus 7000 10-Slot Switch
    Cisco Nexus 7000 18-Slot Switch
    Cisco Nexus 1000V Series Switches
    Cisco Nexus 1010 Virtual Services Appliance
    Cisco Nexus 4001I Switch Module for IBM BladeCenter
    Cisco Nexus 4005I Switch Module for IBM BladeCenter
    Cisco Nexus 5548P Switch
    Cisco Nexus 5548UP Switch
    Cisco Nexus 5596UP Switch
    Cisco Nexus 3064 Switch
    Cisco Nexus 3048 Switch
    Cisco Nexus 3016 Switch
    Cisco Nexus 7000 9-Slot Switch
    Cisco Nexus 9500 Switch
    Cisco Nexus 3548 Switch

Maybe you are looking for

  • Quicktime takes way too long to start playing a movie accessed over Samba

    I keep all my AVI files on a Linux server, shared via SMB and mounted on my Mac. Under Tiger, I could double-click on an AVI file and Quicktime would immediately open and playback could start immediately. Since upgrading my Mac (a high end DeskPro) t

  • How to retrieve data from SQL server?

    I'm thinking this is a request for plug-ins as I'm not aware that Indesign CS3 can hook into a SQL server. Specifically, I'm trying to connect to a data server which has a built-in "SQL Stored Procedure" which will give me access to this database? I'

  • BUG: Cannot import video - dynamiclinkmediaserver has encountered an error

    I'm receiving this error in LR4.1 RC. I was also receiving it when LR4.0 was installed. It's on a mac. [/Volumes/BuildDisk/builds/DynamicLinkMediaServer1/main/shared/adobe/MediaCore/ASL/Foundat ion/Make/Mac/../../Src/DirectoryRegistry.cpp-283] How do

  • Getting error when downloading updates for CS5 suite

    I am in the process of trying to update my CS5 suite.  During the download and install process, I get an error and the installation quits.

  • Published report with Parameter that changes a link

    Is it possible to publish a single report that was designed with the following linking: invoice.totals -> period.quote After the report is published, I would like to have a parameter that would change the table link to this: invoice.totals -> period.