Using AAA for enable mode

Similar Messages

• Using AAA for WAAS

  We are trying to integrate WAAS with Cisco ACS server for having AAA functionality. Authentication works fine provided we create the user and map respective roles locally in the WAAS CM. Otherwise user is not allowed to login to the home page itself.
  We need to know whether it is possible to use the authorization from ACS without creating the user & roles locally in WAAS.
  Because it is added work to create all the users in WAAS also.
  Please clarify.
  Regards,
  Guru

  Let me see what I can do, it's a process. Basically, you can create the group on the WAE like you typically would, then assign the permissions to the group.
  Now, once complete, go to your TACACS server, under TACACS services there should a tab for advanced configuration options. Then, once you show that, show customized TACACS attributes, check that off.
  Then, define a group in TACACS and in put the custom WAAS Group attributes: Check off Shell (exec)
  Check off custom attributes - put the following string in -- waas_rbac_groups=<>
  Submit/Restart
  Then either define a new user or assign a user to the new group created.
  Test, should work fine.

• Log into Device with AAA, how do I get right into enable mode?

  I am using a Cisco ACS server with an RSA server behind it. When the user is authenticated from the ACS server, I want them to go straight into enable mode, not have to type the enable mode password. What line am I missing?
  aaa authentication login ACS group ACS_servers local enable
  aaa authorization exec ACS group ACS_servers local
  aaa authorization commands 15 ACS group ACS_servers local
  aaa accounting commands 1 default start-stop group ACS_servers
  aaa accounting commands 15 default start-stop group ACS_servers
  line vty 0 5
  login authentication ACS
  authorization commmands 15 ACS

  The configuration in question is for telnet, but I do need to design my new console access connection. Console access would be either remotely or on-site, but I don't feel comfortable giving priv 15 right into it. I plan to use the same authentication method on the console (ACS group 1st, local database 2nd) and will just have to enter the enable password through the console.
  One more question on the aaa config, I kept getting this error in the log:
  AAA/AUTHOR: config command authorization not enabled
  So I added:
  aaa authorization config-commands
  I don't know if it was needed because I could still execute config-commands, but it kept giving me that warning if I didn't have that line.
  Also, do I really need this line if the ACS server is taking care of priv 15 authorization:
  aaa authorization commands 15 ACS if-authenticated

• Logging directly into enable mode on a PIX using TACACS

  I have setup TACACS authentication on a PIX running 6.3(3). I can authenticate using TACACS just fine, but do not get put directly into enable mode. The ACS server is setup to do so, it works for routers and switches, but not the PIX box. If I put the "aaa authentication enable console TACACS" in the config I must enter the enable command and use the same password I logged in with to get into enable mode. Without the command, I have to use the configured enable secret password to get into the enable mode.
  Does anyone know it there is a way to configure the PIX to log someone directly into enable mode via TACACS?
  Thanks in advance

  Hi,
  PIX does not support exec authorization. Hence user cannot login to level 15 directly.
  Regards,
  Vivek

• Enable mode using privilege levels

  Hi All,
  We use TACACS+ for telnet access and enable secret password for privileged access. An user would like to enter the enable mode without entering the enable secret password. Is it possible to do this using privilege levels and shell exec on the AAA server?

  I have configured a user on AAA server and under the enable options, I have selected level 15 and under shell exec, I have selected privilege level 15.
  The router has following config
  aaa authorization exec default tacacs+ if-authenticated
  aaa authorization commands 1 default tacacs+ if-authenticated
  aaa authorization commands 15 default tacacs+ if-authenticated
  Am I missing any other commands?

• RSA SecurID and Cisco ACS integration for user(s) with enable mode

  I thought I had this problem figured out but I guess not.
  I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
  router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
  I use tacacs+ authentication for logging into the Cisco router
  such as telnet and ssh. In the ACS I use "external user databases"
  for authentication which proxy the request from the ACS over
  to the RSA SecurID Server. I installed RSA Agents with
  sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
  to be "RSA_SecurID" group. In the "External user databases" and
  "database configurations" I assign SecurID to this "RSA_SecurID"
  group.
  Everything is working fine. In the "User Setup" I can see dynamic
  user test1, test2,...testn listed in there as "dynamic users". In
  other words, I can telnet into the router with my two-factor
  SecurID.
  The problem is that if test1 wants to go into "enable" mode with
  SecurID login, I have to go into "test1" user setting and select
  "TACACS+Enable Password" and choose "Use external database password".
  After that, test1 can go into enable mode with his/her SecurID
  credential.
  Well, this works fine if I have a few users. The problem is that
  I have about 100 users that I need to do this. The solution is
  clearly not scalable. Is there a setting from group level that
  I can do this?
  Any ACS "experts" want to help me out here? Thanks.

  That is not what I want. I want user "test1" to be able to do this:
  C
  Username: test1
  Enter PASSCODE:
  C2960>en
  Enter PASSCODE:
  C2960#
  In other words, test1 user has to type in his/her RSA token password to get
  into exec mode. After that, he/she has to use the RSA token password to
  get into enable mode. Each user can get into "enable" mode with his/her
  RSA token mode.
  The way you descripbed, it seemed like anyone in this group can go directly
  into enable mode without password. This is not what I have in mind.
  Any other ideas? Thanks.

• Console is authenticating to AAA but unable to enter enable mode

  When i enter vty i can log in straight to priv leve 15-authenticating to tacacs-
  howerver when i try through the conosle port, i get in via  privliege level 1
  howerver when i attemt to enable..i get asked for a password, and the enable password i have configured does not work
  aaa authentication attempts login 2
  aaa authentication login default group tacacs+ local enable
  aaa authentication enable default group tacacs+ enable
  aaa authorization config-commands
  aaa authorization exec default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ none
  aaa accounting system default start-stop group tacacs+
  line con 0
  password 7 11ddddD
  logging synchronous
  line aux 0
  line vty 0 4
  privilege level 15
  password 7 0605ddddddd41
  logging synchronous
  transport input telnet ssh
  line vty 5 15
  privilege level 15
  password 7 06ddddd4F41
  logging synchronous
  transport input telnet ssh

  It is not working because you have "aaa authentication enable default group tacacs+ enable".
  If you are locked out I would suggest password recovery and using aaa authentication and authorization commands carefully. Here is a guide to help you http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_aaa_overview_external_docbase_0900e4b1805adb64_4container_external_docbase_0900e4b1807af93e.html
  I hope it helps.
  PK

• Privilege mode authentication using Tacacs for Cisco Routers

  I am trying to set up a test environment where I need to be able to be asked for both a username and password while entering enable mode from exec mode on a cisco IOS router. I was told the only way to do that is through Tacacs. But I've not seen any such configuration options on Tacacs in order to set it up right. Has someone ever did a setup like this before. I would appreciate any help on this. Thanks. 

  version 12.3
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  service compress-config
  hostname 2621-3
  boot-start-marker
  boot system flash c2600-i-mz.123-26.bin
  boot-end-marker
  logging buffered 5001 debugging
  no logging console
  no logging monitor
  enable password cisco
  memory-size iomem 10
  clock timezone CST -7
  clock summer-time CST recurring
  aaa new-model
  aaa authentication login default local
  aaa authentication enable default group tacacs+
  aaa authorization exec default group tacacs+ local
  aaa session-id common
  ip subnet-zero
  ip cef
  no ip domain lookup
  ip domain name int.voyence.com
  ip name-server 192.168.21.5
  !key chain jetef
  key 10
    key-string c1sco
  modemcap entry ZOOM
  modemcap entry ZOOM
  username jeff password 0 jeff
  tacacs-server host 192.168.21.230 key cisco
  tacacs-server host 10.6.230.32
  tacacs-server directed-request
  tacacs-server key dakey
  line con 0
  exec-timeout 15 0
  logging synchronous
  speed 115200
  line aux 0
  exec-timeout 15 0
  password 7 104D000A0618
  logging synchronous
  modem InOut
  modem autoconfigure discovery
  terminal-type monitor
  transport input all
  stopbits 1
  flowcontrol hardware
  line vty 0 4
  exec-timeout 15 0
  password cisco
  private
  logging synchronous

• Aaa authorization (device doesn't always go into enable mode)

  When I log into the 4500 switch with my domain account, I get priv 1 only and have to “enable” with the local enable password to get to priv 15.  How do I set this up to get directly to enable? The ACS 5.1 is setup with a authorization/shell profile for Priv 15, no problems there.
  2821-RTR2#show run | incl aaa
  aaa new-model
  aaa authentication login default group tacacs+ local enable
  aaa authentication login CONSOLE local-case line
  aaa authorization exec default group tacacs+ none
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa session-id common
  4500 that drops into enable mode
  4500-SW1#show run | incl aaa
  aaa new-model
  aaa authentication login default group tacacs+ local enable
  aaa authentication login CONSOLE local-case line
  aaa authorization exec default group tacacs+ none
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa session-id common

  On the non-working device enable:
  debug aaa authen
  debug aaa author
  debug tacacs
  and post the results.
  Also, on ACS 5.1 review the details for the authen/author on both the working and non-working devices and see if the desired shell profile is picked for the non-working device.

• Recently got a MacBook Pro.  When I use it for work purposes, I plug in a large screen and key board.  When in this mode I would like to shut off the laptop screen or even close the lid. Is that possible?

  RECENTLY GOT A mACKbOOK PRO. WHEN USING IT FOR WORK PURPOSES I PLUG IN A LARGE SCREEN AND KEYBOARD, THAT WORKS FINE.  HOWEVER WOULD LIKE TO CLOSE LID ON THE LAPTOP, OR AT LEAST SHUT DOWN THE LAPTOP SCREEN WHILE USING THE LARGE SCREEN. IS THAT POSSIBLE?

  Hi Jim,
  Craig is right on with his post. Hope he won't mind if I add the following link, as recently it has been noted by some posts here that there are some "quirks" with Clamshell Mode:
  http://support.apple.com/kb/HT3131?viewlocale=en_US

• HT201263 Hi. I forgot my passcode and now I am unable to unlock my ipod. I tried restoring it using itunes in recovery mode as well as dfu mode but it says unable to restore,unknown error occured (3004).  Please help me out. My ipod is locked for one hour

  Hi. I forgot my passcode and now I am unable to unlock my ipod. I tried restoring it using itunes in recovery mode as well as dfu mode but it says unable to restore,unknown error occured (3004).  Please help me out. My ipod is locked for one hour now.

  Locked Out, Forgot Lock or Restrictions Passcode, or Need to Restore Your Device: Several Alternative Solutions
  1. iOS- Forgotten passcode or device disabled after entering wrong passcode
  2. iPhone, iPad, iPod touch: Wrong passcode results in red disabled screen
  3. Restoring iPod touch after forgotten passcode
  4. What to Do If You've Forgotten Your iPhone's Passcode
  5. iOS- Understanding passcodes
  6. iTunes 10 for Mac- Update and restore software on iPod, iPhone, or iPad
  Forgotten Restrictions Passcode Help
  You will need to restore your device as New to remove a Restrictions passcode. Go through the normal process to restore your device, but when you see the options to restore as New or from a backup, be sure to choose New.
  Also, see iTunes- Restoring iOS software.

• Using XI for Service Enablement

  Hi,
  For my current project, we are evaluating using XI for service enablement of SAP and non-SAP applications.
  Does anyone have experience of doing this. Would appreciate some key points we should keep in mind while deciding / planning this.
  Thanks in advance,
  Jaideep

  First than all there can be many reasons to choose or not to choose for XI, you could even write a complete book about pro's con's...
  I also agree with the previous note when is said that XI can be an excellent choice.
  Nevertheless, one should pay attention to the requirements of your integration landscape; for instance do you need high availability/High performance/throughput? In addition to this you should also investigate whether you'll be dealing with massive data replication or simple data exchange? In other words; Are we talking about hundred's, thousand's or million's of transactions to be performed by XI?
  To be honest in the last case I would put all my bets to something else than XI. XI is not intended (at least right now) to perform massive data replication like an ETL would normally do.
  Cheers,
  Roberto
  Message was edited by: Roberto Viana

• Using RADIUS without enabling AAA

  is there anyway I can use a RADIUS server without enabling/using AAA.
  is there any command "ip auth radius ... " ?
  cudnt find anything on cisco as such.

  Swapnendu
  Am I correct in assuming that you are talking about on IOS based routers or catOS switches? If so I believe that the only way to use Radius is to use AAA.
  HTH
  Rick

• Using get-aduser to search for enabled users in entire domain filter ..

  Hi,
  my first post here.
  I have the following problem. I am trying to figure out to create a powershell command (with get-aduser) that searches for only enabled
  users (in the entire domain),  whose user account login names starts with "b" or "B" (because their user account login names are composed of Bnnnnn, n=numbers). I suppose that a string of "B*" in the command should be sufficient. The query result
  must show the user account login name (Bnnnnn),  first name
  and last name  and the enabled  (yes) status  of those enabled users. I would like to write the entire query result to a file (csv format), saving it to c: for example
  Please help. Thanks in advance

  I use -LDAPFilter mostly because I am used to the LDAP syntax. It can be used in PowerShell, VBScript, dsquery, VB, and many command line utilities (like Joe Richards' free adfind utility). Active Directory is an LDAP compliant database.
  The PowerShell -Filter syntax can do the same things, but the properties it exposes are really aliases. I'm used to the AD attribute names, like sAMAccountName and userAccountControl. PowerShell uses things like "enabled" and "surname", which are aliases
  you need to know or look up. For example, the Get-ADUser default and extended properties, with the actual AD attributes they are based on, are documented here:
  http://social.technet.microsoft.com/wiki/contents/articles/12037.active-directory-get-aduser-default-and-extended-properties.aspx
  Finally, note that the "Name" property refers to the Relative Distinguished Name (RDN) of the object, which for user objects is the value of the cn attribute (the Common Name of the user). This may not uniquely identify the user, as it only needs to be unique
  in the parent OU/container. The user login name (pre-Windows 2000 logon name) is the value of the sAMAccountName attribute, which must be unique in the domain. In the Wiki article I linked, we see that the PowerShell alias for this attribute is "SamAccountName"
  (in this case the name of the property matches the name of the AD attribute). All of this can be confusing.
  Richard Mueller - MVP Directory Services

• Shall I use NRSE or RSE mode for reading the output voltage of my sensor?

  Hello,
  I am using a  gaz sensor that needs a power supply of 24 V and has an output voltage  : 0 -> 10 V. I want to read this voltage with labview( and then convert it to PPMs ).
  My problem : I don't know what kind of analog input connection I must use : RSE ou NRSE ? ( I suppose the DIFF mode isn't appriopriate here ) .
  I think I should use the NRSE mode ( meaning connecting the V+ of the 0-10V signal to one of the ACH and the V- to  AISENSE )  ???
  Any help would be really great,
  Regards,
  David     
  PS : using Labview 7.1

  Hi David,
  It basically all boils down to if the signal source is grounded or floating? If grounded use DIFF for low voltages (0-2V) and NRSE for high (above 2V). If the signal is floating use RSE.
  For more documentation see:
  http://digital.ni.com/public.nsf/websearch/D509679FFAE2764386256297005D0C9D
  http://zone.ni.com/devzone/conceptd.nsf/webmain/177A8B29FEDC0F5886256FA90083C0F8
  Regards
  Meister, NIDK