WAAS Authentication using TACACS+
Hi,
I am trying to use TACACS as the primary method of authentication. The thing is that I configured in WAAS the values required (security word, primary server and secondary server). Also, in Authentication Method I chose TACACS as primary and local as the secondary.
After that I logged in to the WAAS using my TACACS account and I could enter, but the Navigation Pane is empty. It seems like my account doesn't have permissions to change config, but it is level 15 in TACACS ( I used to change config in Sw and routers).
I dont know if I am missing a step to config this feature either on the WAAS or the ACS.
Thanks,
TACACS really only provides a single "A" Authentication.
Are you allowed or not....
in order to provide Authorization, you need to still create the account in CM. and provide a role and domain in the user config.
Leave the Local user check box "unchecked" if you plane to use TACACS to Authenticate.
Im sure there is a way to provide authorization through complex custom attributes but it achieves the same goal via CM. once authenticated.
Similar Messages
-
About 802.1x port authentication using TACACS+
Hi
I have some question. Please help me. Thanks.
Question1. May I use that 802.1x port authentication using TACACS+
Question2. Is it true? TACACS+ will not work with 802.1x because EAP is not supported in TACACS+, and there are no plans to get EAP over TACACS+.
Any help would be greatly appreciated.
Thanks.Thanks to you.
Where to find the documents about Tacacs+ doesn't support EAP?
I cast more time and I cannot find the documents.
Please help me....
Thanks. -
FWSM: AAA authentication using TACACS and local authorization
Hi All,
In our setup, we are are having FWSMs running version 3.2.22 and users are authenticating using TACACS (running cisco ACS). We would like to give restricted access ( some show commands ) to couple of users to all devices. We do not want to use TACACS for command authorization.
We have created users on TACACS and not allowed "enable" access to them. I have also given those show commands locally on the firewall with privilege level 1. and enabled aaa authorization LOCAL
Now , those users can successfully login to devices and execute those show commands from priv level 1 except "sh access-list". I have specifically mentioned this
"privilege show level 1 mode exec command access-list" in the config.
Is there anything i am missing or is there any other way of doing it?
Thanks.You cannot do what you are trying to do. For (default login you need to use the first policy matched.
you can diversify telnet/ssh with http by creating different aaa groups.
But still you will be loging in for telnet users (all of them) using one method.
I hope it is clear.
PK -
Aaa authentication using tacacs+ for LAP
WIth Autonomous AP, you can configure aaa authtentication using Tacacs+.
In lightweight AP, do u have similar function where u authenticate using tacacs+ when u telnet/ssh into the LAP after it is registered to the WLC?
Rgds
Eng WeeThere really isn't anything you can do on the LAP through telnet/ssh. You can enable TACACS for access to the controller.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml -
Privilege mode authentication using Tacacs for Cisco Routers
I am trying to set up a test environment where I need to be able to be asked for both a username and password while entering enable mode from exec mode on a cisco IOS router. I was told the only way to do that is through Tacacs. But I've not seen any such configuration options on Tacacs in order to set it up right. Has someone ever did a setup like this before. I would appreciate any help on this. Thanks.
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
hostname 2621-3
boot-start-marker
boot system flash c2600-i-mz.123-26.bin
boot-end-marker
logging buffered 5001 debugging
no logging console
no logging monitor
enable password cisco
memory-size iomem 10
clock timezone CST -7
clock summer-time CST recurring
aaa new-model
aaa authentication login default local
aaa authentication enable default group tacacs+
aaa authorization exec default group tacacs+ local
aaa session-id common
ip subnet-zero
ip cef
no ip domain lookup
ip domain name int.voyence.com
ip name-server 192.168.21.5
!key chain jetef
key 10
key-string c1sco
modemcap entry ZOOM
modemcap entry ZOOM
username jeff password 0 jeff
tacacs-server host 192.168.21.230 key cisco
tacacs-server host 10.6.230.32
tacacs-server directed-request
tacacs-server key dakey
line con 0
exec-timeout 15 0
logging synchronous
speed 115200
line aux 0
exec-timeout 15 0
password 7 104D000A0618
logging synchronous
modem InOut
modem autoconfigure discovery
terminal-type monitor
transport input all
stopbits 1
flowcontrol hardware
line vty 0 4
exec-timeout 15 0
password cisco
private
logging synchronous -
ACS 5.3, ASA using TACACS+ forces to PAP?
As the title says I'm trying to have an ASA (8.2.3) auth against an ACS 5.3 using TACACS+. It only works if I have PAP enabled on the ACS. Obviously this concerns me. I've found the following reference in the configuration guides:
TACACS+ Server Support
The ASA supports TACACS+ authentication with ASCII, PAP, CHAP, and MS-CHAPv1.
I can't figure out how to make the ASA use MS-CHAPv1 though. Seems like it should be pretty simple.
Incidentally I was having the same problem with VPN auth's using RADIUS but I was able to fix that by enabling the password management option which is only available in CHAPv2. Seems that option isn't available under TACACS+.
Any suggestions?As far as I am aware the asa will only use PAP to authenticate console exec logins. I wish it used chap-v2.
Sent from Cisco Technical Support iPhone App -
Nexus, command authorization using TACACS.
Hello.
Can someone provide a sample configuration to use Cisco Secure ACS 4.2 to enable command authorization using TACACS.
Thanks.
Regards.
AndreaHi Andrea,
We've moved onto ACS 5.3 now - but we had our Nexus 5520's running against our old ACS 4.2 before that - so I've picked out the relevant bits of the config below:
username admin password role network-admin ; local admin user
feature tacacs+ ; enable the tacacs feature
tacacs-server host key ; define key for tacacs server
aaa group server tacacs+ tacacs ; create group called 'tacacs'
server ;define tacacs server IP
use-vrf management ; tell it to use the default 'management' vrf to send the tacacs requests
source-interface mgmt0 ; ...and send them from the mgmt interface
aaa authentication login default group tacacs ; use tacacs for login auth
aaa authentication login console group tacacs ; use tacacs for console login auth
aaa authorization config-commands default group tacacs local ; use tacacs for config command authorization
aaa authorization commands default group tacacs local ; use tacacs for normal command authorization
aaa accounting default group tacacs ; send accounting records to tacacs
Hope that works for you!
(That can change a bit when you move to ACS 5.x - as we've chosen not to do complex command auth (using shell profiles only) so instead you pass back the nexus role to the 5k - and it does the command auth (network-admin vs network-operator) based on that - so you just don't configure aaa command authorization on the 5k)
Rob... -
Reg: Configuration of AAA using TACACS+
Hi,
I am Anubhav ,i m new to TACACS+ server and trying to implement aaa authentication using Cisco TACACS+ Server for which i've decided following AAA commands and a fall back user user1 has been configured on router to be authenticated.
aaa authentication login default group tacacs+ local
aaa authentication login NO_AUTHEN none
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization exec NO_AUTHOR none
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 1 NO_AUTHOR none
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization commands 15 NO_AUTHOR none
aaa authorization network serial none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa session-id common:purpose of this line ?
Kindly check if it's ok and i might not get locked out.acs server has been defined on router .kindly guide us on steps to configure the user ,group ,privilege level on TACACS.
Thanks.Hi,
As I ve written in my previous post that i ve configured acs-server host and key on router , i ve created a user name test 1 on acs and added ,the router through add AAA client and Secure as shared Key.I must mention that i am using a Cisco 3845 router connected on my LAN for testing ACS and I have access to it through console as well.What else should I do on acs4.2 to get it authenticated by TACACS server ,also if i have more routers to add ,could i create a group in the same way and add AAA clients,Kindly suggest if my approach is correct.will there be separate users for each AAA client or same user can be used for all AAA clients for authentication through ACS if they are assigned to same group or if they are in Default group.
Also how to implement policies on a group(say:security).Is there any screenshots tutorial available for the same.
Thanks, -
Logging directly into enable mode on a PIX using TACACS
I have setup TACACS authentication on a PIX running 6.3(3). I can authenticate using TACACS just fine, but do not get put directly into enable mode. The ACS server is setup to do so, it works for routers and switches, but not the PIX box. If I put the "aaa authentication enable console TACACS" in the config I must enter the enable command and use the same password I logged in with to get into enable mode. Without the command, I have to use the configured enable secret password to get into the enable mode.
Does anyone know it there is a way to configure the PIX to log someone directly into enable mode via TACACS?
Thanks in advanceHi,
PIX does not support exec authorization. Hence user cannot login to level 15 directly.
Regards,
Vivek -
Connecting to UCS6120 from Fabric Manager using TACACS
Standalone Fabric Manager 5.0(4a)
UCS 1.4(3s)
I have to log into Fabric Manager using TACACS with SNMPv3 (company network security restriction).
I launch Fabric Manger using my TACACS account which connects to all the switches in my two fabrics using the same credentials.
I can connect to all MDS9513, MDS9222i, IBM Bladechassis FC switch modules and all NX5020 switches in the fabrics. Fabric Manager cannot connect to any of the eight UCS6120 switches in the fabrics, returning a status of Unknow User or Password(Server,Client).
This, I understand, requires the creation of a specific SNMP user, which is fine. However as I am logged into Fabric Manager using a single TACACS account, I cannot supply alternate credentials to a subset of switches in the fabric.
Is there a work around for this to enable management of the 6120s in FM? or am I missing something.
Thanks
Mike TaylorFabric Manager uses the same credentials to access all systems, these credentials will need to be valid on the UCS platform as well. Create a local SNMP user on UCS and check. This needs to be different from any non-snmp authentication accounts on UCS.
Note that FM cannot manage UCS. You will be able to view into UCS but not make changes. May not be an issue if UCSM is running end host mode. To make any changes, you will need to use the UCSM GUI or CLI or other tool for administration.
Thank You,
Dan Laden
PDI Helpdesk
http://www.cisco.com/go/pdihelpdesk -
Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)
So I am trying to get TACACS+ auth to work for my ACE.
The command string that I have on the ACE is as follows:
tacacs-server host 172.16.101.4 key 7 XXXYYYZZZ timeout 15
aaa group server tacacs+ tacacs+
server 172.16.101.4
aaa authentication login default group tacacs+ local
aaa authentication login console local
aaa accounting default group tacacs+ local
But to finish getting this enabled I need to create some sort of shell (exec) string in the ACS that tells the ACE what permission level to allocate.
I do not know how to do this on the ACS 5.1.0.44.
Anyone know?
TAC made a good suggestion but the command path doesn't seem to line up with my version of ACS.
Thanks for your reply. About this question:
shell:<Context>*<Role> <Domain>
What I meant is that you need to check the following couple of things on
your ACS server in order to have AAA Tacacs users to login into the
ACE over the context with superuser ritghts.
Group setup ‑> users ‑> TACACS + Settings ‑> enable Shell(exec)
‑> enable Custom attributes ‑> right below this part you need to
use the following sintax to link the ACE context that this user
has access to.
For example:
shell:<Context>*<Role> <Domain>
shell:Admin*Admin default‑domain
Where this user will have access to the Admin context with the role
admin using the 'default‑domain'Wilfred,
What you will have to do on your version of ACS is modify the shell profile that your admins are hitting for other IOS devices or you can create another shell profile under Policy Elements -> Device Administration ->
Once you get into this shell profile select the Custom Attributes tab and put in the following fields close to the bottom of the screen, from the example you provided type shell:Admin for the attribute field and then default-domain for the value field, and make sure you select this requirement as optional, if you select mandatory and other IOS devices use this same shell profile you will force this av pair to these devices also which will impact the priv levels that then need for authentication.
After you add this attribute, save your changes and then test, also make sure that your Aceess Policy is calling this shell profile under the authorization profile for default device admin.
Thanks,
Tarik Admani -
ACS shell profile to only allow VPN authentication from TACACS+
I'm currently rebuilding all of my VPN profiles after it was found that we were using TACACS+ for authentication to the VPNs, that would also allow users to SSH all of the network infrastructure. The new profiles will be radius based and will take some time to get them to the users.
In the meantime I'm looking to create a new shell profile for the VPN users that will only allow them to authenticate to the VPN and not gain access to the CLI of the infrastructure.
ThanksHi,
i tested this with Cisco ACS 5.5 with TACACS for VPN tunnel it doesn't work.
It gives you an error which is stated that service protocol used is for device administration.
So it doesn't all VPN authentication to work. but for radius this works properly.
Thanks & Regards,
Nitesh -
Use Tacacs+ for Admin auth & Radius for user Auth?
Can I setup my Aironet 1200 to use TACACS+ for authentication back to the cisco ACS server and RADIUS back to same server for user authentication?
If I setup a server in Server Manager under Radius, then add that same server as a TACACS+ server, it deletes the RADIUS server, so I assume no.dont know about 1200s but you can do this on 1130AGs. Create a aaa group for authentication via radius, and one for tacacs+ then use aaa groups to point console/vty to the tacacs+ aaa group, and EAP authentication to the radius group.
eg:
aaa group server radius rad-group
server x.x.x.x auth-port xxxx acct-port xxxx
aaa group server tacacs+ admin-access
server x.x.x.x
aaa authentication login eap-method group rad-group
aaa authentication login auth-admin-access group admin-access local
aaa authorization exec default group admin-access local
now under the ssid part of the config have:
dot11 ssid yyyyyy
authentication open (or whatever method you use) eap eap-method
under console/vty etc:
login authentication auth-admin-access
you need some more stuff like radius and tacacs server keys, but the above should get you started. On 1130AGs dont use aaa auth for http(s), looks like it overloads the aaa server at the moment - see field notices - probably doesnt apply to 1200s. -
Client Certificate Mapping authentication using Active Directory across trusted forests
Hi,
We currently have a setup where the on-premises environment and the cloud environment are based on two separate forests linked by a 1-way trust, i.e., the exist in the on-premises AD and the 1-way trust allows them to use their
credentials to login to a cloud domain joined server. This works fine with the Windows authentication.
We are now looking at implementing a 2-Factor authentication using Certificate. The PKI infrastructure exists in the On-Premises Forest. The users are able to successfully login to on-premise servers configured with "AD CLient Certificate
Mapping".
However, we are unable to achieve the same functionality on the cloud domain joined servers. I would like to know
1. Is this possible?
2. If yes, what do we need to do to make this work.
Just to clarify, we are able to authenticate using certificates by enabling anonymous authentication. However, we are unable to do the same after turning on "Client Certificate Mapping authentication using Active Directory"1. Yes!
2. Before answering this I need to know if your are trying to perform a smart card logon on a desktop/console or if you just want to use certificate based authentication in an application like using a web application with client certificate requirements
and mapping?
/Hasain
We will eventually need it for smartcard logon on to desktop/console. However, at present, I am trying to use this for certificate based authentication on a web application.
To simulate the scenario, I setup up two separate forests and established a trust between them.
I then setup a Windows PKI in one of the forests and issued a client certificate to a user.
I then setup a web server in both the forests and configured them for anonymous authentication with Client SSL requirement configured.
I setup a test ASP page to capture the Login Info on both the servers.
With the client and the server in the same forest, I got the following results
Login Info
LOGON_USER: CORP\ASmith
AUTH_USER: CORP\ASmith
AUTH_TYPE: SSL/PCT
With the client in the domain with the PKI and the server in the other Forest, I got the following response
Login Info
LOGON_USER:
AUTH_USER:
AUTH_TYPE:
I tried the configuration with the Anonymous Authentication turned off and the AD CLient Certificate mapping turned on.
With the client and the server in the same forest, I am able to login to the default page. However, with the server in a trusted forest, I get the following error.
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied -
How to set proxy authentication using java properties at run time
Hi All,
How to set proxy authentication using java properties on the command line, or in Netbeans (Project => Properties
=> Run => Arguments). Below is a simple URL data extract program which works in absence of firewall:
import java.io.*;
import java.net.*;
public class DnldURLWithoutUsingProxy {
public static void main (String[] args) {
URL u;
InputStream is = null;
DataInputStream dis;
String s;
try {
u = new URL("http://www.yahoo.com.au/index.html");
is = u.openStream(); // throws an IOException
dis = new DataInputStream(new BufferedInputStream(is));
BufferedReader br = new BufferedReader(new InputStreamReader(dis));
String strLine;
//Read File Line By Line
while ((strLine = br.readLine()) != null) {
// Print the content on the console
System.out.println (strLine);
//Close the input stream
dis.close();
} catch (MalformedURLException mue) {
System.out.println("Ouch - a MalformedURLException happened.");
mue.printStackTrace();
System.exit(1);
} catch (IOException ioe) {
System.out.println("Oops- an IOException happened.");
ioe.printStackTrace();
System.exit(1);
} finally {
try {
is.close();
} catch (IOException ioe) {
}However, it generated the following message when run behind the firewall:
cd C:\Documents and Settings\abc\DnldURL\build\classes
java -cp . DnldURLWithoutUsingProxy
Oops- an IOException happened.
java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:305)
at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:171)
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:158)
at java.net.Socket.connect(Socket.java:452)
at java.net.Socket.connect(Socket.java:402)
at sun.net.NetworkClient.doConnect(NetworkClient.java:139)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:402)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:618)
at sun.net.www.http.HttpClient.<init>(HttpClient.java:306)
at sun.net.www.http.HttpClient.<init>(HttpClient.java:267)
at sun.net.www.http.HttpClient.New(HttpClient.java:339)
at sun.net.www.http.HttpClient.New(HttpClient.java:320)
at sun.net.www.http.HttpClient.New(HttpClient.java:315)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:510)
at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:487)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:615) at java.net.URL.openStream(URL.java:913) at DnldURLWithoutUsingProxy.main(DnldURLWithoutUsingProxy.java:17)
I have also tried the command without much luck either:
java -cp . -Dhttp.proxyHost=wwwproxy -Dhttp.proxyPort=80 DnldURLWithoutUsingProxy
Oops- an IOException happened.
java.io.IOException: Server returned HTTP response code: 407 for URL: http://www.yahoo.com.au/index.html
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1245) at java.net.URL.openStream(URL.java:1009) at DnldURLWithoutUsingProxy.main(DnldURLWithoutUsingProxy.java:17)
All outgoing traffic needs to use the proxy wwwproxy (alias to http://proxypac/proxy.pac) on port 80, where it will prompt for valid authentication before allowing to get through.
There is no problem pinging www.yahoo.com from this system.
I am running jdk1.6.0_03, Netbeans 6.0 on Windows XP platform.
I have tried Greg Sporar's Blog on setting the JVM option in Sun Java System Application Server (GlassFish) and
Java Control Panel - Use browser settings without success.
Thanks,
GeorgeHi All,
How to set proxy authentication using java properties on the command line, or in Netbeans (Project => Properties
=> Run => Arguments). Below is a simple URL data extract program which works in absence of firewall:
import java.io.*;
import java.net.*;
public class DnldURLWithoutUsingProxy {
public static void main (String[] args) {
URL u;
InputStream is = null;
DataInputStream dis;
String s;
try {
u = new URL("http://www.yahoo.com.au/index.html");
is = u.openStream(); // throws an IOException
dis = new DataInputStream(new BufferedInputStream(is));
BufferedReader br = new BufferedReader(new InputStreamReader(dis));
String strLine;
//Read File Line By Line
while ((strLine = br.readLine()) != null) {
// Print the content on the console
System.out.println (strLine);
//Close the input stream
dis.close();
} catch (MalformedURLException mue) {
System.out.println("Ouch - a MalformedURLException happened.");
mue.printStackTrace();
System.exit(1);
} catch (IOException ioe) {
System.out.println("Oops- an IOException happened.");
ioe.printStackTrace();
System.exit(1);
} finally {
try {
is.close();
} catch (IOException ioe) {
}However, it generated the following message when run behind the firewall:
cd C:\Documents and Settings\abc\DnldURL\build\classes
java -cp . DnldURLWithoutUsingProxy
Oops- an IOException happened.
java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:305)
at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:171)
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:158)
at java.net.Socket.connect(Socket.java:452)
at java.net.Socket.connect(Socket.java:402)
at sun.net.NetworkClient.doConnect(NetworkClient.java:139)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:402)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:618)
at sun.net.www.http.HttpClient.<init>(HttpClient.java:306)
at sun.net.www.http.HttpClient.<init>(HttpClient.java:267)
at sun.net.www.http.HttpClient.New(HttpClient.java:339)
at sun.net.www.http.HttpClient.New(HttpClient.java:320)
at sun.net.www.http.HttpClient.New(HttpClient.java:315)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:510)
at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:487)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:615) at java.net.URL.openStream(URL.java:913) at DnldURLWithoutUsingProxy.main(DnldURLWithoutUsingProxy.java:17)
I have also tried the command without much luck either:
java -cp . -Dhttp.proxyHost=wwwproxy -Dhttp.proxyPort=80 DnldURLWithoutUsingProxy
Oops- an IOException happened.
java.io.IOException: Server returned HTTP response code: 407 for URL: http://www.yahoo.com.au/index.html
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1245) at java.net.URL.openStream(URL.java:1009) at DnldURLWithoutUsingProxy.main(DnldURLWithoutUsingProxy.java:17)
All outgoing traffic needs to use the proxy wwwproxy (alias to http://proxypac/proxy.pac) on port 80, where it will prompt for valid authentication before allowing to get through.
There is no problem pinging www.yahoo.com from this system.
I am running jdk1.6.0_03, Netbeans 6.0 on Windows XP platform.
I have tried Greg Sporar's Blog on setting the JVM option in Sun Java System Application Server (GlassFish) and
Java Control Panel - Use browser settings without success.
Thanks,
George
Maybe you are looking for
-
Database table entries not getting viewed on SAP Screen
Hi I have created Z-Code to update a standard SAP table. After executing my program I can see my desired entries in that SAP database table but when I am trying to view that same entries in SPRO I am not able to view it there. Am I missing something
-
Hi, I am creating a new vendor using VMD_EI_API-maintain. However on rare occassions i get an error "LIFNR: Invalid value (foreign key check failed) .Entry 000000XXXX does not exist in LFA1 (check entry) ". Please note that the vendor number mention
-
i have a mac osX 10.5.8 and i could always make photo books with iphoto , now all of a sudden i cant because i have iphoto version 7.1.5 i have tried countless updates and nothing is working ? help ?
-
Is there a reset, or reinstallation disk I can buy for my macbook pro?
I need to reset my macbook pro, the person I bought it from did not wipe it properly so I cannot update everything. Is there something I can buy to completely reset it?
-
I am pretty new to using networks and am wondering how can I share certain files but have others inaccessible? I am under the impression that once Personal File Sharing is turned on then ALL files are accessible; is this accurate? Any help would be a