I would like to make a centralized management of loggin account on my cisco switch (with a radius server). But, on Cisco 3750 E, i use 12.2(44) SE1 IOS and no command aaa authentication login exist.
Cisco 3750 can support other IOS than 12.2 who have this ability ?
I have a customer who used to own a 3750 with a older version of IOS. The switch he had used a three year old version of IOS which allowed him to browse to the switch IP and manage it via HTTP without entering a password at all. Now that he has a replacement switch with a new ver of IOS (since the previous switch died). We slapped the config on from the old switch but no matter what we do (understanding that new http aaa authentication commands were added) we cant get this thing to let him in without prompting him for a password. I understand this was an insecure config to begin with so I shouldn't be advocating using it in the first place, but this is what the customer wants.Basically what I'm trying to figure out is are we banging our heads into the wall for nothing as the "ip http server" will not allow an authentication method of "none" anyway? None of the offical documentation I have read for the http aaa authentication cmds shows this as an example nor have I found any blog posts on how to do it ether. Perhaps Cisco removed this by design.
Here is the config:
aaa new model
aaa authentication login default local
aaa authentication enable default none
aaa authentication login none none
ip http server
ip http authentication aaa login-authentication none
[code]....
I'm experiencing some problems with AAA authentication banners and banner logins.I'm trying to use spaces and empty lines, but when login, all the lines are after each other, no empty lines, no spaces.The problem appears on a 3750 with IOS version 12.2(5)SE2.
View 5 Replies View RelatedI'm unable to login Switch.......getting following error...I have tried this commands on other 3560 that worked...when I enter user name & password re logging authentication failed error occurs .........This is remote site Switch.
[code]...
I have 3750 switch (WS-C3750G-24TS-S1U) with IP Services version
Switch Ports Model SW Version SW Image------ ----- ----- ---------- ----------* 1 28 WS-C3750G-24TS-1U 12.2(46)SE C3750-IPSERVICESK9-M
on the switch, I have configured aaa new-modelaaa authentication dot1x default group radius dot1x system-auth-control but i am not able to implement the command under interface
Switch(config)#int gigabitEthernet 1/0/20Switch(config-if)#do?down-when-looped
dot1x commands are not available under the interface config. Is the IOS version is compatible with dot1x?
We are setting up a new office and I am trying to get RADIUS setup for authentication to my switches and routers. Currently I am working on a 3750 running IOS 15 and getting hung on what I think on something small. I have attached my Microsoft NPS Network Policy. Below is my IOS config:
aaa group server radius corp-radius
server 10.15.10.20 auth-port 1812 acct-port 1813
!
aaa authentication login default group corp-radius local
aaa authentication login radius-localfallback group corp-radius enable
aaa authorization exec default group radius
[code]....
We have a Catalyst 3750 switch that failed over to local login after the Tacacs authentication stopped working. I went through the configuration settings and everything appears to be identical to another switch in this same building.
View 4 Replies View RelatedI've recently been looking into linking in our Cisco 2960S Gb Switch with RSA SecureID via Radius.I've already managed to link it in for ssh access
but I've not managed to get it working for http / web access to the switchI think this is because we're using "single use" tokens for maximum security with RSA Secure-ID and the web interface attempts to authenticate multiple times against the Radius part of the RSA SecureID server (okay on the first authentication, but each time after it's going to want a different token code)
(if there's a way to get the switch to just authenticate once instead of multiple times against the radius server) For info the switch is a WS-C2960S-24TS-L with IOS 15.0(1)SE2
how ISE support on third party LAN switch, if the requirement is doing 802.1X based flexauth.Refer to the diagram i attached; 01 topology.png
Concern 1: if the 3com switch with 802.1X feature, but still without the full feature to support FlexAuth, policy encforcement, DACL etc. In this kind of situation, will user still able to authenticate (using method PEAP-MSCHAP v2), but authorization just grant with permit any any?
Concern 2: Can i assume i authenticated the 3com switch using MAB? But this will cause endpoint with no 802.1X, am i right?
Concern 3: cisco switch C4507-E, loaded with IOS version Cat4500e-UNIVERSALK9-M, version 03.04 and Supervisor Engine :WS-X45-SUP7-E, is this platform is supported in Cisco TrusctSEC?
on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working.
I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
The interface configuration looks like this:
interface FastEthernet0/24
switchport access vlan 6
switchport mode access
switchport voice vlan 20
ip access-group webauth in(code)
I am writting in response to MAB issue which I noticed a few days ago and I am still not able to undestand what exactly happend. First of all I would like to say that I configured MAB authentication and according to the MAC the ISE configure a VLAN. All worked well: the test computer can change VLAN based on its MAC. The problem appear when I cut the connection to ISE server. Accourding to configuration the switch authorize the new device to VLAN 11 (critical VLAN) That is fine ! When the ISE server is up again I had a configuration which should reauthorize all ports assign in critical VLAN. But why that is not happend ??? It looks as the switch didn't notice that the RADIUS (ISE) was up and working again. [code]
View 1 Replies View RelatedI replaced an access switch 3750 with a switch 2960. Basically I just copy the whole config of the 3750 to 2960.
The 3750 use AAA, Crypto pki trustpoint TP-self-signed and radius-server host etc.
Now I can only telnet to 2960 but not SSH to it.
I'm trying to set up my DIR-835. I keep getting "Authentication failed".
View 4 Replies View RelatedWe have a C4948E switch which is generating the following logs every ten minutes:
May 28 12:44:13 UTC: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: Username: -40.0] [Source: 0.0.0.0] [localport: 0] [Reason: Login Authentication Failed] at 12:44:13 UTC Tue May 28 2013
May 28 12:44:59 UTC: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: 0.0.0.0] [localport: 0] [Reason: Login Authentication Failed] at 12:44:59 UTC Tue May 28 2013
We have a terminal server (C2901) set up with reverse ssh to all the devices including the above C4948E. Can this be the one to initiate the logins?
The IOS of both devices is as below:
C4948E - cat4500e-entservicesk9-mz.151-1.SG.bin
C2901 - c2900-universalk9-mz.SPA.152-3.T.bin
I am unable to identify what is triggering the above logs to be created.
I am configuring my 5508 WLCs with SW version 7.0.116.0. I configured a guest ssid with web-authentication enabled, but I cannot retrieve the login page on the controller. I configured the virtual interface with the addredd 1.1.1.1 SSID Layer 2 security: None SSID Layer 3 security: Web Policy enabled
I join the ssid with clients, receive the IP address correctly however when I try to open a web page, the login page does not appear. When I check the client status I see that it stuck in WEBAUTH_REQD state.
i have a dir 825 with fw 2.00eu that i wanted to upgrade to the new beta fw.i went to tools and did a factory reset first,when i wanted to log back in to load the new fw,it sudenly asks for a authentication code,problem is the field is marked with a red x so i cant see any code i'm using windows 7 and IE 9?
View 5 Replies View RelatedI use IE7.0
192.168.1.1
user name : admin
password : admin
Error is saying "401 Authorization required" Browser not authentication-capable or authentication failed.
Can we enable ssh on 3500 /3600 APs along with use radius for login authentication? idea here is to that ssh will provide another method to access the AP for troubleshooting purposes.I know with autonomous mode APs this should not be an issue but not sure with lightweight APs.
View 2 Replies View RelatedI configured before ACS v4.2 to authenticate network devices using internal users at first, and if the user is not found use AD list users. But with v5.3 I have some problems doing this, on identity policies I use rule based result selection option, I configured 2 polices for Identity source, one for Internal Users and other policy for AD user, but it only works with the first policy, internal users or AD, but works only for the first policy identity. how to do that, if the user is not found on first policy, continue to the next policy.
View 7 Replies View RelatedI need a specify users to allow access to particular devices and give privilege only for show command or show run. Here is how I tried to configured.
1. Configured two seperate Shell Profile and Command set with privilege level 4-5 and allowing only show run command
2. create seperate service selection rule with adding the require NDG and protocol TACACS and maching service "RestrictAccess"
3. In the RestrictAccess Service I have following configured; Identity: internal users, Group Mapping to a particular group where the user exists, authorization: matching the above created identity group, NDG, shell profile, command sets
All the steps are attached in the .doc file. However when I tried with the particular user he is able to access everything and he is not hitting the correct access rule.
I can access to Cisco 3750 with SSH, but fail to login to web http with the same login.I am able to get the login prompt, the login error I get is "The server at level_15_access requires a username and password."Below is my switch config:username admin privilege 15 secret 5 $1$xsdfajiwuoeirlkajsd.
View 1 Replies View RelatedI want to make my switch send trap when failed SSH login is detected. I found the "login Enhancement" feature and enabled the trap and logging for the failed attempt.
3750# sh run | in login
aaa authentication login default local
login delay 1
[Code].....
how can I import a public or private key in a router? For example, a Cisco 3560th I have found some conflicting answers @ cisco.com . Background, I would like to login with PUTTY via ssh on a Cisco Router but without username and password.The login should be made with RSA Keys. For this I need to deposit on the IOS device's the public key and on my Client the private key. For this I've already created with PuTTYGen the two keys. The private is in the ppk format. I still need to convert this into a different format? Since there are PEM and PKCS. Below you can see what times I have entered. With the error message: "CRYPTO_PKI: Import PKCS12 operation failed, failure status = 0x705" With the following error message I can do anything?
View 2 Replies View RelatedI have two ACS 5.2 working in redundancy Primary and Secondary my question in when my primary ACS goes down i can´t see the log in the secondary ACS. I read in the documentación that only one ACS can be configurated for working like logg collector server. Now I configurated my secondary ACS like logg collector server now when my Primary ACS goes down i can see the logg. Finally when my Secondary ACS goes down i can modified the ACS Primary Configution by show me the logg.. Is possible to do this automaticaly for show me the event logg ? when the ACS that is configurate like logg collector server goes down pass the event other ACS automatically..
View 3 Replies View RelatedFew days ago in my wireless infrastrucer i deploy Cisco ACS 5.0 with Active directory integration. My wireless users are login through web authentication process. The authentication process is passed by AD & its working fine. But i want to do a work on my ACS 5.0 that a user cannot login simultaneously multiple device at a time.
View 21 Replies View RelatedWe created some local account for this switch but we unable to login when the TACACS Server down.
3750 Switch
aaa group server tacacs+ ACS
server x.x.x.x
server x.x.x.x
ip vrf forwarding Mgmt
ip tacacs source-interface GigabitEthernet0
[code]....
Trying to apply NTP authentication to 3750 switches (layer-2 WS-C3750-24P switches) but they don't wont to work. Applying the same config to any router or 4500/6500 chassis, and NTP authenticates straight away. NTP without authentication works fine on 3750s as well...
ntp authentication-key 1 md5 <key>
ntp authenticate
ntp trusted-key 1
ntp server 10.200.11.200 key 1
Is there additional config required for 3750s? This is across different IOS versions, so doesn't look like a bug..
As observed ACS 5.x " Change Password on Next Login" Feature does not work with SSH Clients ( tried with X-sheel, Secure CRT, Putty etc...) , however through telnet session to IOS devices, users can change their password on their next login.
1: on ACS 5.x i create a new user & Set " Change password on NExt Login" option.
2: Logged into the device through Telnet & Password can be changed after i authenticate successfully. however the same is not happening when i login to the devices through SSH.
is it because of the fact that SSH is encrypted session ?
Because changing password through a telnet session is not accepted in many fanancial organizations as per PCI Standard.
We have an ACS 4.2 installation and we have users configured on the user setup, they authenicate using the windows database (AD). We ran failure tests and simulated AD failure but disabling the firewall rule. So the ACS server is up, AD is down. Tested user login to a switch and get the following error. External DB user invalid. It looks like as the ACS does not get a response from AD it rejects the user login.
What we want it to do is in the event of AD failure is to be able to login to the switch with the username configured on the switch. (as if ACS server does not respond)
Date Time Message-Type User-Name Group-Name Caller-ID Network Access Profile Name Authen-Failure-Code Author-Failure-Code Author-Data NAS-Port NAS-IP-Address Filter Information PEAP/EAP-FAST-Clear-Name EAP Type EAP Type Name Reason Access Device Network Device Group 02/03/201214:09:13Authen failedtest.testNetwork192.168.1.1(Default)External DB user invalid or bad password....tty310.0.0.1..........SWITCH30Office
Is it possible to track failed login attempts to ACS instances (both on CLI and web GUI) by snmp? unfortunately i haven't found such option in Monitoring and Reports > Alarms > Thresholds >
View 2 Replies View RelatedI have an ACS 5,2.0.26-8 running on VM intergrated with RSA. Users are able to login using their RSA passcode for network management utilizing TACACS. The problem seam to be related with RSA token caching. Once a user login sucessful on device A using current token he can not login with the same token on another device. User must wait for a new token and then he can login again. Before moving to ACS 5.2 we were using ACS 4.2 (intergrated with the same RSA) and back then ACS 4.2 cache passcode so user where able to login on devices using the same passcode. When the token change user have to use the new one. providing the same functionality like the "Token Card Settings" Durantion option under group properties, to cache token for a specific period. The global option for caching under RSA definition on 5.2 does not solve the problem.
View 4 Replies View RelatedI've configured three specific AD groups, Admin, Storage, and HelpDesk, with their own commands sets.
This seems to be working fine, but everyone can log into everything, but they can't do anything except exit.
My goal is to not allow anyone to login that is not part of the three AD groups I have specified with the respective command sets.
All the logins hit the Admin account, even though the id in AD is not in the that AD group. I have something screwed up.
How to see the ipsec vpn client users login history, they are authenticating to the local AAA, not to active directory. I am able to see current login session. by going to monitoring vpn statistics sessions this shows me current sessions but I would like to see for example logins for vpn client for the last month.
View 11 Replies View Related