WAAS Authentication using TACACS+

Similar Messages

• About 802.1x port authentication using TACACS+

  Hi
  I have some question. Please help me. Thanks.
  Question1. May I use that 802.1x port authentication using TACACS+
  Question2. Is it true? TACACS+ will not work with 802.1x because EAP is not supported in TACACS+, and there are no plans to get EAP over TACACS+.
  Any help would be greatly appreciated.
  Thanks.

  Thanks to you.
  Where to find the documents about Tacacs+ doesn't support EAP?
  I cast more time and I cannot find the documents.
  Please help me....
  Thanks.

• FWSM: AAA authentication using TACACS and local authorization

  Hi All,
  In our setup, we are are having FWSMs running version 3.2.22 and users are authenticating using TACACS (running cisco ACS). We would like to give restricted access ( some show commands ) to couple of users to all devices. We do not want to use TACACS for command authorization.
  We have created users on TACACS and  not allowed "enable" access to them. I have also given those show commands locally on the firewall with privilege level 1. and enabled aaa authorization LOCAL
  Now , those users can successfully login to devices and execute those show commands from priv level 1 except "sh access-list".  I have specifically mentioned this
  "privilege show level 1 mode exec command access-list"  in the config.
  Is there anything i am missing or is there any other way of doing it?
  Thanks.

  You cannot do what you are trying to do. For (default login you need to use the first policy matched.
  you can diversify telnet/ssh with http by  creating different aaa groups.
  But still you will be loging in for telnet users (all of them) using one method.
  I hope it is clear.
  PK

• Aaa authentication using tacacs+ for LAP

  WIth Autonomous AP, you can configure aaa authtentication using Tacacs+.
  In lightweight AP, do u have similar function where u authenticate using tacacs+ when u telnet/ssh into the LAP after it is registered to the WLC?
  Rgds
  Eng Wee

  There really isn't anything you can do on the LAP through telnet/ssh.  You can enable TACACS for access to the controller.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml

• Privilege mode authentication using Tacacs for Cisco Routers

  I am trying to set up a test environment where I need to be able to be asked for both a username and password while entering enable mode from exec mode on a cisco IOS router. I was told the only way to do that is through Tacacs. But I've not seen any such configuration options on Tacacs in order to set it up right. Has someone ever did a setup like this before. I would appreciate any help on this. Thanks. 

  version 12.3
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  service compress-config
  hostname 2621-3
  boot-start-marker
  boot system flash c2600-i-mz.123-26.bin
  boot-end-marker
  logging buffered 5001 debugging
  no logging console
  no logging monitor
  enable password cisco
  memory-size iomem 10
  clock timezone CST -7
  clock summer-time CST recurring
  aaa new-model
  aaa authentication login default local
  aaa authentication enable default group tacacs+
  aaa authorization exec default group tacacs+ local
  aaa session-id common
  ip subnet-zero
  ip cef
  no ip domain lookup
  ip domain name int.voyence.com
  ip name-server 192.168.21.5
  !key chain jetef
  key 10
    key-string c1sco
  modemcap entry ZOOM
  modemcap entry ZOOM
  username jeff password 0 jeff
  tacacs-server host 192.168.21.230 key cisco
  tacacs-server host 10.6.230.32
  tacacs-server directed-request
  tacacs-server key dakey
  line con 0
  exec-timeout 15 0
  logging synchronous
  speed 115200
  line aux 0
  exec-timeout 15 0
  password 7 104D000A0618
  logging synchronous
  modem InOut
  modem autoconfigure discovery
  terminal-type monitor
  transport input all
  stopbits 1
  flowcontrol hardware
  line vty 0 4
  exec-timeout 15 0
  password cisco
  private
  logging synchronous

• ACS 5.3, ASA using TACACS+ forces to PAP?

  As the title says I'm trying to have an ASA (8.2.3) auth against an ACS 5.3 using TACACS+.  It only works if I have PAP enabled on the ACS.  Obviously this concerns me.  I've found the following reference in the configuration guides:
  TACACS+ Server Support
  The ASA supports TACACS+ authentication with ASCII, PAP, CHAP, and MS-CHAPv1.
  I can't figure out how to make the ASA use MS-CHAPv1 though.  Seems like it should be pretty simple.
  Incidentally I was having the same problem with VPN auth's using RADIUS but I was able to fix that by enabling the password management option which is only available in CHAPv2.  Seems that option isn't available under TACACS+.
  Any suggestions?

  As far as I am aware the asa will only use PAP to authenticate console exec logins. I wish it used chap-v2.
  Sent from Cisco Technical Support iPhone App

• Nexus, command authorization using TACACS.

  Hello.
  Can someone provide a sample configuration to use Cisco Secure ACS 4.2 to enable command authorization using TACACS.
  Thanks.
  Regards.
  Andrea

  Hi Andrea,
  We've moved onto ACS 5.3 now - but we had our Nexus 5520's running against our old ACS 4.2 before that - so I've picked out the relevant bits of the config below:
  username admin password role network-admin ; local admin user
  feature tacacs+ ; enable the tacacs feature
  tacacs-server host key ; define key for tacacs server
  aaa group server tacacs+ tacacs ; create group called 'tacacs'
      server ;define tacacs server IP
      use-vrf management ; tell it to use the default 'management' vrf to send the tacacs requests
      source-interface mgmt0 ; ...and send them from the mgmt interface
  aaa authentication login default group tacacs ; use tacacs for login auth
  aaa authentication login console group tacacs  ; use tacacs for console login auth
  aaa authorization config-commands default group tacacs local  ; use tacacs for config command authorization
  aaa authorization commands default group tacacs local  ; use tacacs for normal command authorization
  aaa accounting default group tacacs ; send accounting records to tacacs
  Hope that works for you!
  (That can change a bit when you move to ACS 5.x - as we've chosen not to do complex command auth (using shell profiles only) so instead you pass back the nexus role to the 5k - and it does the command auth (network-admin vs network-operator) based on that - so you just don't configure aaa command authorization on the 5k)
  Rob...

• Reg: Configuration of AAA using TACACS+

  Hi,
  I am Anubhav ,i m new to TACACS+ server and trying to implement aaa authentication using Cisco TACACS+ Server for which i've decided following AAA commands and a fall back user user1 has been configured on router to be authenticated.
  aaa authentication login default group tacacs+ local
  aaa authentication login NO_AUTHEN none
  aaa authorization config-commands
  aaa authorization exec default group tacacs+ if-authenticated
  aaa authorization exec NO_AUTHOR none
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 1 NO_AUTHOR none
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa authorization commands 15 NO_AUTHOR none
  aaa authorization network serial none
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default stop-only group tacacs+
  aaa session-id common:purpose of this line ?
  Kindly check if it's ok and i might not get locked out.acs server has been defined on router .kindly guide us on steps to configure the user ,group ,privilege level on TACACS.
  Thanks.

  Hi,
  As I ve written in my previous post that i ve configured acs-server host and key on router , i ve created a user name test 1 on acs and added ,the router through add AAA client and Secure as shared Key.I must mention that i am using a Cisco 3845 router connected on my LAN for testing ACS and I have access to it through console as well.What else should I do on acs4.2 to get it authenticated by TACACS server ,also if i have more routers to add ,could i create a group in the same way and add AAA clients,Kindly suggest if my approach is correct.will there be separate users for each AAA client or same user can be used for all AAA clients for authentication through ACS if they are assigned to same group or if they are in Default group.
  Also how to implement policies on a group(say:security).Is there any screenshots tutorial available for the same.
  Thanks,

• Logging directly into enable mode on a PIX using TACACS

  I have setup TACACS authentication on a PIX running 6.3(3). I can authenticate using TACACS just fine, but do not get put directly into enable mode. The ACS server is setup to do so, it works for routers and switches, but not the PIX box. If I put the "aaa authentication enable console TACACS" in the config I must enter the enable command and use the same password I logged in with to get into enable mode. Without the command, I have to use the configured enable secret password to get into the enable mode.
  Does anyone know it there is a way to configure the PIX to log someone directly into enable mode via TACACS?
  Thanks in advance

  Hi,
  PIX does not support exec authorization. Hence user cannot login to level 15 directly.
  Regards,
  Vivek

• Connecting to UCS6120 from Fabric Manager using TACACS

  Standalone Fabric Manager 5.0(4a)
  UCS 1.4(3s)
  I have to log into Fabric Manager using TACACS with SNMPv3 (company network security restriction).
  I launch Fabric Manger using my TACACS account which connects to all the switches in my two fabrics using the same credentials.
  I can connect to all MDS9513, MDS9222i, IBM Bladechassis FC switch modules and all NX5020 switches in the fabrics. Fabric Manager cannot connect to any of the eight UCS6120 switches in the fabrics, returning a status of Unknow User or Password(Server,Client).
  This, I understand, requires the creation of a specific SNMP user, which is fine. However as I am logged into Fabric Manager using a single TACACS account, I cannot supply alternate credentials to a subset of switches in the fabric.
  Is there a work around for this to enable management of the 6120s in FM? or am I missing something.
  Thanks
  Mike Taylor

  Fabric Manager uses the same credentials to access all systems,  these credentials will need to be valid on the UCS platform as well.  Create a local SNMP user on UCS and check.  This needs to be different from any non-snmp authentication accounts on UCS.
  Note that FM cannot manage UCS.  You will be able to view into UCS but not make changes. May not be an issue if UCSM is running end host mode.  To make any changes, you will need to use the UCSM GUI or CLI or other tool for administration.
  Thank You,
  Dan Laden
  PDI Helpdesk
  http://www.cisco.com/go/pdihelpdesk

• Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)

  Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)
  So I am trying to get TACACS+ auth to work for my ACE.
  The command string that I have on the ACE is as follows:
  tacacs-server host 172.16.101.4 key 7 XXXYYYZZZ timeout 15
  aaa group server tacacs+ tacacs+
    server 172.16.101.4
  aaa authentication login default group tacacs+ local
  aaa authentication login console local
  aaa accounting default group tacacs+ local
  But to finish getting this enabled I need to create some sort of shell (exec) string in the ACS that tells the ACE what permission level to allocate.
  I do not know how to do this on the ACS 5.1.0.44.
  Anyone know?
  TAC made a good suggestion but the command path doesn't seem to line up with my version of ACS.
  Thanks for your reply. About this question:
  shell:<Context>*<Role> <Domain>
  What I meant is that you need to check the following couple of things on
  your ACS server in order to have AAA Tacacs users to login into the
  ACE over the context with superuser ritghts.
  Group setup ‑> users ‑> TACACS + Settings ‑> enable Shell(exec)
  ‑> enable Custom attributes ‑> right below this part you need to
  use the following sintax to link the ACE context that this user
  has access to.
  For example:
  shell:<Context>*<Role> <Domain>
  shell:Admin*Admin default‑domain
  Where this user will have access to the Admin context with the role
  admin using the 'default‑domain'

  Wilfred,
  What you will have to do on your version of ACS is modify the shell profile that your admins are hitting for other IOS devices or you can create another shell profile under Policy Elements -> Device Administration ->
  Once you get into this shell profile select the Custom Attributes tab and put in the following fields close to the bottom of the screen, from the example you provided type shell:Admin for the attribute field and then default-domain for the value field, and make sure you select this requirement as optional, if you select mandatory and other IOS devices use this same shell profile you will force this av pair to these devices also which will impact the priv levels that then need for authentication.
  After you add this attribute, save your changes and then test, also make sure that your Aceess Policy is calling this shell profile under the authorization profile for default device admin.
  Thanks,
  Tarik Admani

• ACS shell profile to only allow VPN authentication from TACACS+

  I'm currently rebuilding all of my VPN profiles after it was found that we were using TACACS+ for authentication to the VPNs, that would also allow users to SSH all of the network infrastructure. The new profiles will be radius based and will take some time to get them to the users.
  In the meantime I'm looking to create a new shell profile for the VPN users that will only allow them to authenticate to the VPN and not gain access to the CLI of the infrastructure.
  Thanks

  Hi,
  i tested this with Cisco ACS 5.5 with TACACS for VPN tunnel it doesn't work.
  It gives you an error which is stated that service protocol used is for device administration.
  So it doesn't all VPN authentication to work. but for radius this works properly.
  Thanks & Regards,
  Nitesh

• Use Tacacs+ for Admin auth & Radius for user Auth?

  Can I setup my Aironet 1200 to use TACACS+ for authentication back to the cisco ACS server and RADIUS back to same server for user authentication?
  If I setup a server in Server Manager under Radius, then add that same server as a TACACS+ server, it deletes the RADIUS server, so I assume no.

  dont know about 1200s but you can do this on 1130AGs. Create a aaa group for authentication via radius, and one for tacacs+ then use aaa groups to point console/vty to the tacacs+ aaa group, and EAP authentication to the radius group.
  eg:
  aaa group server radius rad-group
  server x.x.x.x auth-port xxxx acct-port xxxx
  aaa group server tacacs+ admin-access
  server x.x.x.x
  aaa authentication login eap-method group rad-group
  aaa authentication login auth-admin-access group admin-access local
  aaa authorization exec default group admin-access local
  now under the ssid part of the config have:
  dot11 ssid yyyyyy
  authentication open (or whatever method you use) eap eap-method
  under console/vty etc:
  login authentication auth-admin-access
  you need some more stuff like radius and tacacs server keys, but the above should get you started. On 1130AGs dont use aaa auth for http(s), looks like it overloads the aaa server at the moment - see field notices - probably doesnt apply to 1200s.

• Client Certificate Mapping authentication using Active Directory across trusted forests

  Hi,
  We currently have a setup where the on-premises environment and the cloud environment are based on two separate forests linked by a 1-way trust, i.e., the exist in the on-premises AD and the 1-way trust allows them to use their
  credentials to login to a cloud domain joined server. This works fine with the Windows authentication.
  We are now looking at implementing a 2-Factor authentication using Certificate. The PKI infrastructure exists in the On-Premises Forest. The users are able to successfully login to on-premise servers configured with "AD CLient Certificate
  Mapping".
  However, we are unable to achieve the same functionality on the cloud domain joined servers. I would like to know
  1. Is this possible?
  2. If yes, what do we need to do to make this work.
  Just to clarify, we are able to authenticate using certificates by enabling anonymous authentication. However, we are unable to do the same after turning on "Client Certificate Mapping authentication using Active Directory"

  1. Yes!
  2. Before answering this I need to know if your are trying to perform a smart card logon on a desktop/console or if you just want to use certificate based authentication in an application like using a web application with client certificate requirements
  and mapping?
  /Hasain
  We will eventually need it for smartcard logon on to desktop/console. However, at present, I am trying to use this for certificate based authentication on a web application.
  To simulate the scenario, I setup up two separate forests and established a trust between them.
  I then setup a Windows PKI in one of the forests and issued a client certificate to a user.
  I then setup a web server in both the forests and configured them for anonymous authentication with Client SSL requirement configured.
  I setup a test ASP page to capture the Login Info on both the servers.
  With the client and the server in the same forest, I got the following results
  Login Info
  LOGON_USER: CORP\ASmith
  AUTH_USER: CORP\ASmith
  AUTH_TYPE: SSL/PCT
  With the client in the domain with the PKI and the server in the other Forest, I got the following response
  Login Info
  LOGON_USER:
  AUTH_USER:
  AUTH_TYPE: 
  I tried the configuration with the Anonymous Authentication turned off and the AD CLient Certificate mapping turned on.
  With the client and the server in the same forest, I am able to login to the default page. However, with the server in a trusted forest, I get the following error.
  401 - Unauthorized: Access is denied due to invalid credentials.
  You do not have permission to view this directory or page using the credentials that you supplied

• How to set proxy authentication using java properties at run time

  Hi All,
  How to set proxy authentication using java properties on the command line, or in Netbeans (Project => Properties
  => Run => Arguments). Below is a simple URL data extract program which works in absence of firewall:
  import java.io.*;
  import java.net.*;
  public class DnldURLWithoutUsingProxy {
     public static void main (String[] args) {
        URL u;
        InputStream is = null;
        DataInputStream dis;
        String s;
        try {
            u = new URL("http://www.yahoo.com.au/index.html");
           is = u.openStream();         // throws an IOException
           dis = new DataInputStream(new BufferedInputStream(is));
           BufferedReader br = new BufferedReader(new InputStreamReader(dis));
        String strLine;
        //Read File Line By Line
        while ((strLine = br.readLine()) != null)      {
        // Print the content on the console
            System.out.println (strLine);
        //Close the input stream
        dis.close();
        } catch (MalformedURLException mue) {
           System.out.println("Ouch - a MalformedURLException happened.");
           mue.printStackTrace();
           System.exit(1);
        } catch (IOException ioe) {
           System.out.println("Oops- an IOException happened.");
           ioe.printStackTrace();
           System.exit(1);
        } finally {
           try {
              is.close();
           } catch (IOException ioe) {
  }However, it generated the following message when run behind the firewall:
  cd C:\Documents and Settings\abc\DnldURL\build\classes
  java -cp . DnldURLWithoutUsingProxy
  Oops- an IOException happened.
  java.net.ConnectException: Connection refused
  at java.net.PlainSocketImpl.socketConnect(Native Method)
  at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:305)
  at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:171)
  at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:158)
  at java.net.Socket.connect(Socket.java:452)
  at java.net.Socket.connect(Socket.java:402)
  at sun.net.NetworkClient.doConnect(NetworkClient.java:139)
  at sun.net.www.http.HttpClient.openServer(HttpClient.java:402)
  at sun.net.www.http.HttpClient.openServer(HttpClient.java:618)
  at sun.net.www.http.HttpClient.<init>(HttpClient.java:306)
  at sun.net.www.http.HttpClient.<init>(HttpClient.java:267)
  at sun.net.www.http.HttpClient.New(HttpClient.java:339)
  at sun.net.www.http.HttpClient.New(HttpClient.java:320)
  at sun.net.www.http.HttpClient.New(HttpClient.java:315)
  at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:510)
  at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:487)
  at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:615) at java.net.URL.openStream(URL.java:913) at DnldURLWithoutUsingProxy.main(DnldURLWithoutUsingProxy.java:17)
  I have also tried the command without much luck either:
  java -cp . -Dhttp.proxyHost=wwwproxy -Dhttp.proxyPort=80 DnldURLWithoutUsingProxy
  Oops- an IOException happened.
  java.io.IOException: Server returned HTTP response code: 407 for URL: http://www.yahoo.com.au/index.html
  at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1245) at java.net.URL.openStream(URL.java:1009) at DnldURLWithoutUsingProxy.main(DnldURLWithoutUsingProxy.java:17)
  All outgoing traffic needs to use the proxy wwwproxy (alias to http://proxypac/proxy.pac) on port 80, where it will prompt for valid authentication before allowing to get through.
  There is no problem pinging www.yahoo.com from this system.
  I am running jdk1.6.0_03, Netbeans 6.0 on Windows XP platform.
  I have tried Greg Sporar's Blog on setting the JVM option in Sun Java System Application Server (GlassFish) and
  Java Control Panel - Use browser settings without success.
  Thanks,
  George

  Hi All,
  How to set proxy authentication using java properties on the command line, or in Netbeans (Project => Properties
  => Run => Arguments). Below is a simple URL data extract program which works in absence of firewall:
  import java.io.*;
  import java.net.*;
  public class DnldURLWithoutUsingProxy {
     public static void main (String[] args) {
        URL u;
        InputStream is = null;
        DataInputStream dis;
        String s;
        try {
            u = new URL("http://www.yahoo.com.au/index.html");
           is = u.openStream();         // throws an IOException
           dis = new DataInputStream(new BufferedInputStream(is));
           BufferedReader br = new BufferedReader(new InputStreamReader(dis));
        String strLine;
        //Read File Line By Line
        while ((strLine = br.readLine()) != null)      {
        // Print the content on the console
            System.out.println (strLine);
        //Close the input stream
        dis.close();
        } catch (MalformedURLException mue) {
           System.out.println("Ouch - a MalformedURLException happened.");
           mue.printStackTrace();
           System.exit(1);
        } catch (IOException ioe) {
           System.out.println("Oops- an IOException happened.");
           ioe.printStackTrace();
           System.exit(1);
        } finally {
           try {
              is.close();
           } catch (IOException ioe) {
  }However, it generated the following message when run behind the firewall:
  cd C:\Documents and Settings\abc\DnldURL\build\classes
  java -cp . DnldURLWithoutUsingProxy
  Oops- an IOException happened.
  java.net.ConnectException: Connection refused
  at java.net.PlainSocketImpl.socketConnect(Native Method)
  at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:305)
  at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:171)
  at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:158)
  at java.net.Socket.connect(Socket.java:452)
  at java.net.Socket.connect(Socket.java:402)
  at sun.net.NetworkClient.doConnect(NetworkClient.java:139)
  at sun.net.www.http.HttpClient.openServer(HttpClient.java:402)
  at sun.net.www.http.HttpClient.openServer(HttpClient.java:618)
  at sun.net.www.http.HttpClient.<init>(HttpClient.java:306)
  at sun.net.www.http.HttpClient.<init>(HttpClient.java:267)
  at sun.net.www.http.HttpClient.New(HttpClient.java:339)
  at sun.net.www.http.HttpClient.New(HttpClient.java:320)
  at sun.net.www.http.HttpClient.New(HttpClient.java:315)
  at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:510)
  at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:487)
  at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:615) at java.net.URL.openStream(URL.java:913) at DnldURLWithoutUsingProxy.main(DnldURLWithoutUsingProxy.java:17)
  I have also tried the command without much luck either:
  java -cp . -Dhttp.proxyHost=wwwproxy -Dhttp.proxyPort=80 DnldURLWithoutUsingProxy
  Oops- an IOException happened.
  java.io.IOException: Server returned HTTP response code: 407 for URL: http://www.yahoo.com.au/index.html
  at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1245) at java.net.URL.openStream(URL.java:1009) at DnldURLWithoutUsingProxy.main(DnldURLWithoutUsingProxy.java:17)
  All outgoing traffic needs to use the proxy wwwproxy (alias to http://proxypac/proxy.pac) on port 80, where it will prompt for valid authentication before allowing to get through.
  There is no problem pinging www.yahoo.com from this system.
  I am running jdk1.6.0_03, Netbeans 6.0 on Windows XP platform.
  I have tried Greg Sporar's Blog on setting the JVM option in Sun Java System Application Server (GlassFish) and
  Java Control Panel - Use browser settings without success.
  Thanks,
  George