Cisco AAA/Identity/Nac :: 2960 / CNA / Sending Empty Commands?
Dec 30, 2011
while working with Cisco's CNA (Cisco Network Assistant) on a 2960 switch, any change done by this tool is sent out as an empty set of commands, to a TACACS server to approve.
I have 2960 switch, a PC with CNA on it and brand new ACS 5.2. This switch is set up for TACACS+ authorization. While working with TELNET/SSH, all commands are authorized properly. When doing "debug aaa authorization", you can see the commands are being sent to a TACACS server (as expected) for approval. And what is more important – within the debug output every command appears at "AV CMD= …" and "Arguments = …" Those commands seen by the ACS and approved correctly.But, when working with CNA, those fields (i.e. av cmd and arguments) are empty in the first place. Hence all what ACS does see are "empty commands" and no clue for the correct ones (say, changing interface's description). The HTTP server has it set of authorization commands.
View 6 Replies
ADVERTISEMENT
Nov 5, 2012
We have a WAP 200 wireless G access point. It worked perfect before. About two weeks agao, we didn't change anything, it began to send empty alarm email every 10 minutes. We upgraded the software to newest version,restarted it several times. But till now, it still keep sending empaty alarm email.
View 1 Replies
View Related
Jan 15, 2012
I have a problem with the ACS 5.2 configuration: I am trying to use the AAA authorization to centralize privileges and commands but only the privilege level is sent to router, the command set aren't sent.
The test cenary is this:
ACS 5.2Router 2900 family IOS 15.0
The ACS is configured with:
Shell Profiles (to match with a privilege level), Command Sets (with the command list), Service Selection Rules (to set to one service) and Authorization (to assign one shell profile and one command set).
The router is configured with the follows commands:
[code]....
View 4 Replies
View Related
May 19, 2011
after switching from a very old ACS 3.2 to ACS 5.2 I'm wondering on how to specify an empty argument in a command set.
Example:
I want to permit:
write
but I don't want to permit:
write terminal
write erase
write network
write core
and so on.
If I specify command="write" and leave the argument field empty, every argument is allowed. This would also permit "write erase" what I don't want.
In ACS 3.2 I could specify command="write" and argument="^<cr>$". This does exacly what I want. The command write with an empty argument is allowed. If there is any argument, the command is denied.
In ACS 5.2 if I enter the same string in the argument field, the "<cr>" is filtered out and in the config is now only the string "^$" which is not working.
how to specify an empty argument?
BTW: ACS View shows only [ CmdAV=write ] in the logs...
View 3 Replies
View Related
May 30, 2011
Our customer has the business needs to authenticate remote users against AD with empty password. I've seen ACS5.1 release note where mentioned about resolved issue: #CSCte72751 #ACS 5.1 drops authentication with empty password.
I tried to authenticate dial-in users through Tacacs and Radius against AD with empty password but without success. ACS points to wrong AD password. Is it possible to authneticate remote users with empty password?
View 3 Replies
View Related
May 9, 2011
Have a conceptual question bout CLI command authorization. We have ASC 5.2 up and running, providing AAA services for network devices. Now I need to make profiles for users in certain group to restrict dem CLI "rights" to show, clear counters and show running-config commands. I need to accomplish dis task.I should clrete separate privillege levele profile (let it be 2), specify commands at this level, assign Group this Authorization Prifile and make some additional changes in my devices.
View 26 Replies
View Related
Aug 30, 2011
I've set up my 5540 ASA to accounting commands on TACACS+.Every moviment done through ASDM is logged on TACACS+ by this form: cmd=perfmon interval 10.What does that mean?Why doesn't it record the exaclty command I'd issued?
View 1 Replies
View Related
Mar 3, 2011
I have everything working on a new 5.2 ACS but:I can only make a command set that permits things and denies all.I thought with the check box. Permit any command that is not in the table below" one could allow all and specifically deny commands.and that would allow the user to do all commands except for conf and set. But it doesn't seem to adminstratively block it, it allows them to still "conf" for instance.
Then it works as expected, it allows the commands that are permitted and denying all unspecified commands.I know I am in the right command set because the changes I make are reflected immediately.Can someone test the "Permit any command that is not in the table below' and tell me if it works? I can make it work with the unchecked box, sure, but it would be nice to get it to work.
View 3 Replies
View Related
Sep 22, 2012
I'm trying to configure a shell commnds set such that all commands (including under conf t mode) will be allowed, except for administrative commands, such as write, copy, admin, format etc.It's been working for (most) priviliged mode commands (such as write and copy) but has been unsuccessful for any command under conf t mode. It's important in order to prevent the users from performing 'do write' and 'do copy run start' commands, for example.Here's the input of the shell command authorization set (Partial_access):
Unmatched Commands: permit
Command list:
admin
copy
delete
do
[code]....
View 2 Replies
View Related
Jul 24, 2011
We are currently evaluating a ACS 1121 running 5.2, we are trying to configure this to Authenticate eap-peap requests.
Our users will be using credentials in a username@example.com format, if the server sees a request using username@anotherrealm.com then it would forward the request to a external proxy radius server, if the server saw a request for our domain it would strip off the @example.com part and authenticate against AD.
Im finding it hard locating documentation to tell the server if a request comes from a NAS using username@example.com then strip @example.com and authenticate username against AD.
View 4 Replies
View Related
Aug 24, 2012
Device: 3841
IOS: 15.1(4)M2 ADVSecurity
Commands: AAA Authorization
Commands take approximately 8 seconds to process when required to authorize with ACS. The show run command will take 8 seconds to process then output is displayed.Packet sniff indicates that it takes 8 seconds for the router to send the initial TCP SYN SEQ packet to ACS. Login to device has no delay.
View 4 Replies
View Related
Oct 28, 2012
I'm trying to test such 802.1x wired environment:windows xp sp3 as supplicant windows NPS as radius server 2960 as authenticator latest anyconnect (3.1.01065) + nam and standalone profile editor.I have a question: What is the difference between protected identity pattern and unprotected identity pattern (set in nam profile editor)? As I understand documentation PEAP-MSCHAPv2 is a tunneled method and it uses un- protected identity pattern to protect user's identity during phase 0. But if I use any fake identity here (anonymous, anonymous@[domain], etc) access is rejected (Access-Reject in switch debugs). I have to use exacly the same pattern in unprotected identity pattern as in protected identity pattern ([username] or [username]@[domain]) to gain access, regardless of authenticaton mode (same in machine only, user only authentication).
View 1 Replies
View Related
May 17, 2011
I have configured the cisco 2960 switch with AAA & the radius server is free radius. I am able to login into the switch when radius server is working.But when radius server is not reachable, in that particular condition the switch doesn't move to local authentication configured on the switch.
aaa new-modelaaa group server radius radiuss server 10.1.0.215 auth-port 1812 acct-port 1813!aaa authentication login default group radiuss enableaaa authentication login CONSOLE localaaa authentication enable default group radiusaaa authorization exec default group radius if-authenticated
radius-server host 10.1.0.215 auth-port 1812 acct-port 1813 key 7 071F285C422948514117171
radius-server retransmit 2
line con 0 exec-timeout 5 0 privilege level 15 password 7 14341B1B7D6F0417626173455E47060F login authentication CONSOLEline vty 0 4 access-class 91 in exec-timeout 5 0 password 7 106D004F2C3B7B7F757E6A64812812d transport input sshline vty 5 15 access-class 91 in exec-timeout 5 0 password 7 106D000A061845jsajtqwkd327E6A64 transport input ssh
View 1 Replies
View Related
Jan 10, 2012
I replaced an access switch 3750 with a switch 2960. Basically I just copy the whole config of the 3750 to 2960.
The 3750 use AAA, Crypto pki trustpoint TP-self-signed and radius-server host etc.
Now I can only telnet to 2960 but not SSH to it.
View 3 Replies
View Related
Mar 3, 2013
We have a configuration that work fine but one of the combinations it don´t work. When we connect a guest laptop, the first time work fine. The configuration is when the laptop don´t authenticates with radius, the dhcp server assigned vlan guest and ip guest. The first time was ok. After, We connect a laptop with users authenticates work ok, the radius asigned vlan of users and dhcp server assigned ip users. The problem was when we connect for two time a guest laptop, radius didn´t validate and laptop didn´t negociate ip with dhcp server. In this time, the administrator of dhcp server, tell us that they didn´t see nothing traffic of my mac. and anymore run fine. If Whe change the port of switch , the laptup start working again.
Radius=NPS
Server dhcp: is typical.
Our scenario is with a ip cisco phone. the ip phone don´t have the authentication. The administrator of radius tell us that the configuratation is fine and the configuration of dhcp is fine. When we connect only laptop, everything run ok.
Configuration Port.
interface GigabitEthernet1/0/3
switchport access vlan 202
switchport mode access
[Code]...
View 4 Replies
View Related
Mar 20, 2013
I am trying to get AAA Authentication working on a Cisco 2960-24pc-l running 12.2(55)SE5 IOS and cannot get it to work. I have it currently working on a Cisco 3750-24te-m running 12.2(55)SE IOS. Here is my config: [code]
When I login to the 3750, AAA is used. When I login to the 2960, the local username is used. Any thoughs here as to why it works on the 3850 and not the 2960?
View 2 Replies
View Related
Nov 25, 2011
I am trying to solve this problem without success so far. I have fresh ACS 4.2.15 patch 5 ACS installation and I am tryng to deploy it to our environment. So I have configured one 2960S to be my test client and everything works fine. Problem is when I try to create fine grained policies using network device groups and shell authorization sets.
I have created shell authorization sets called ReadOnly and FullAccess. I have also created NDG called FloorSwitches and added my 2960. I have 2 user groups called FloorSwitchesReadOnly and FloorSwithcesFullAccess. Now, if I configure group FloorSwitchesFullAccess and assign Shell command authorization set per NDG and then log into the switch, all of my commands are refused as unauthorized.
One thing that I have noticed is that if I assign shell command authorization set to any device ( in user group settings ) it works fine. Or if I create association with DEFAULT NDG in user group it also works. So my conclusion is that ACS for some reason does not associate my switch with correct group but rather puts it to DEFAULT group for some reason.
View 2 Replies
View Related
Dec 30, 2012
I configured the below config in Routers it is working good , but when i do the same in SWITCH-2960 , i am getting a problem not able to login to enable mode ... i am getting the basic login only ....
Error msg : % Error in Authentication.
Need to be configured at TAFE Network Devices: Code...
View 4 Replies
View Related
Jun 21, 2012
[Env on my lab investigation]
supplicant - W7 with cert
authenticator - Catalyst 2960 with IOS 15.0(1)SE2 /newest/
authentication server 2x - W2008/NPS like a RADIUS server
The problem is the end station that are still connected to the supplicant port /use a EAP-TLS/ after the reboot supplicant! All of them will be put into the Guest VLAN instead of static VLAN 34!
[The question]
What is wrong and how to configure/tune and what authenticator or authentication server to prevent after the reboot to observe a authentication timeouts? Of course the supplicant after 20 minutes /next EAPOL start farmet put into VLAN 34.
[Code] ........
View 1 Replies
View Related
Apr 17, 2011
I would like to configure a guest-vlan and restricted-vlan on a 2960 switch, but I can not.
I am trying to configure the interface using the following commands: [code] similar result is obtained while trying to configure a auth-fail vlan. the full configuration file is attached.
View 4 Replies
View Related
Aug 18, 2011
Find here the extraction of the configuration and the debug sysout. The radius servers works fine with all the other accesss like ssh, telnet...
Just the http access fail. This configuration work fine with the version 12.2.55 installed before.
Aaa new-model
aaa authentication login default group radius local
aaa authentication login physique local
[Code].....
View 2 Replies
View Related
Apr 23, 2013
First, my configuration, (then the problem down below):
I have an Aironet 1142 with multiple SSIDs [mapped to V LANs] connected to Gi1/0/2 on a 2960 switch in a user-accessible area. This switch is up linked to another 2960 switch in a wiring closet, and the Microsoft NPS server is connected to the wiring closet 2960.
Aironet -- 2960 [user area] --- 2960 [closet] -- NPS RADIUS
I have the user-area 2960 configured as an authenticator switch for dot1x, and port Gi1/0/2 is authenticating the Aironet via MAB to RADIUS. RADIUS is sending VSA device-traffic-class=switch to the 2960. The closet-2960 has no special 802.1x configuration, nor is it an authenticator switch; it just has a manually-configured trunk port to the user-area 2960 [for now; I'm trying to take this one step at a time!].
The user-area 2960 correctly converts port Gi1/0/1 to a trunk port when the Aironet is authenticated [via MAB]. The Aironet boots up, the port is opened, I can ping the Aironet on the native V LAN, and all is well [so it seems]. The Aironet dot11Radio is configured for two SSIDs and mapped to V LANs, which are being spanned via STP thru the user-area 2960 and the closet-2960. STP is correct and verified on all switches.
I have DHCP snooping configured on the user-area 2960 but only for V LAN 1 [but NOT the wireless user V LANs], the trunk port to the closet 2960 is a trusted port. Hosts on the wired ports on the user-area 2960 are able to get DHCP IPs. On the Aironet, "show dot11 associations" shows hosts on the SSIDs are getting DHCP addresses. Again, I am *NOT* running dhcp snooping on wireless SSID V LANs [i read elsewhere that can cause problems as users roam between Aironets].
I do have CISP configured on the user-area 2960. I do not have CISP configured on the closet-2960 [best I can tell, that's not required at this stage, but I could be wrong]. Despite the alleged documentation, I could not get the Aironet to use a dot1x credentials profile to authenticate to NPS/RADIUS as an 802.1x supplicant, which is why I resorted to MAB for this exercise. The Aironet simply would not run dot1x [best I could tell]. The documentation and configuration didn't seem complex, so I was quite confused.
I have upgraded the Aironet to the latest 12.4(25d)JA2 software, and the 2960 is at 12.2(55)SE7 [i saw 12.2(58) has some issues, but I'm willing to be persuaded otherwise, based on sound advice]. Ok, now the problem:
Users on the guest wireless SSID (V lan 20) say they cannot connect. Yep, classic. V LAN 20 is trunk and spanned to all the sufficient places. The Aironet shows users in the associations list for that SSID with IP addresses from the DHCP server! DHCP snooping is not configured on that V LAN. I read another support forum post saying CISP and MAB could cause problems with "disappearing" ARP entries. I appear to have that problem. However, the user on the Staff wireless (V LAN 10) has full access. Am I running into a problem with "multi- host" authentication config? Via tcpdump on my firewall, I see nothing but broadcast and multicast traffic coming from a host on VLAN 20. What puzzles me is how I do see *SOME* traffic from a V LAN 20 host on this SSID, but no uni cast traffic!
Since you're going to ask, here is my port config for this AP on the 2960 authenticator switch in the user-area, and the AAA config pieces:
#sh run br | in ip dhcp
ip dhcp snooping vlan 1
no ip dhcp snooping information option
ip dhcp snooping database flash:dhcp_snoop.txt
ip dhcp snooping
[code]......
View 1 Replies
View Related
Jan 17, 2013
I was looking for a way the manually re-authenticate dot1x client from cli and found this: [URL]
"You manually reauthenticate the client by entering the dot1x reauthenticate interface interface-id privileged EXEC command"
I've tried it 2960 with 12.2(58)SE and 15.0(2)SE, but it doesn't seems to be implemented. Have I missunderstood something? Or do you guys have any other command to accomplish a manually re-auth?
View 6 Replies
View Related
Mar 27, 2012
on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working.
I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
The interface configuration looks like this:
interface FastEthernet0/24
switchport access vlan 6
switchport mode access
switchport voice vlan 20
ip access-group webauth in(code)
View 12 Replies
View Related
Jan 22, 2012
802.1x is working properly, 802.1x port is up,but;when I do a remote desktop to machine that is 802.1x authenticated by an user(Wired), first, login to pc successfuly then(3 minutes) is switch port down..
Debug radius authentication
Debug aaa authentication
Does not appear in the log only message port is down
Equipment;
Cisco 2960, Cisco ACS 4.2 ,MS Active Directory Authentication
Client:windows xp, windows 7
Cisco 2960 Port Config
switchport mode access
dot1x pae authenticator
dot1x port-control auto
spanning-tree portfast
spanning-tree guard loop
View 1 Replies
View Related
Aug 14, 2011
I want to configure IEEE 802.1x port-based authentication on cisco switches, preferable 2960 series. Which models support this feature?. I have try with some older switches but it doesn't works properly on everyone. I have upgraded them whitout better results, there is namely an issue with TLS handshaking on some switches which produces authentication to fail.
View 1 Replies
View Related
Jun 3, 2012
after upgrading from Prime LMS 4.1 to 4.2 (Windows version) the "All Devices" group and all the other system defined groups are empty.
The "Inventory dashboard" shows 397 reachable devices which is correct. I can access the devices when I type the name into the search field in the upper right corner of the LMS page.
When I open a device selector (e.g. from the "Device Management" tab) all system defined groups are empty.
When I make a new user defined group with the definition "IP address contains '1'" I get a group with all devices.
View 8 Replies
View Related
Oct 9, 2011
Allthough we see all our devices in Inventory Portlets, we cant access devices via device selector neither in CM, RME, DFM ...OGSserver is running?
View 2 Replies
View Related
Jul 18, 2012
I have run a netconfig jobs in LMS 4.2.1 with these settings: [code] After running the job the "Device Details" of the jobs say "Successful Devices" for all three switches:"Deploy successful (Primary Login Succeeded / Primary Enable Succeeded )" For the devices switch-1 and switch-2 I get the desired output: [code]. Why there is no output although the job is successful?
View 3 Replies
View Related
Jan 29, 2013
I would like to empty my LMS 3.2 DB and re-discover all of my devices again. What is the best way to do this besides wiping the software and reinstalling?
View 1 Replies
View Related
Feb 8, 2013
I am having issues playing certain games on my ps3. So I've been searching for solutions and I came across a video that wanted me to go to run/cmd/ipconfig. I have little knowledge of computers but I'm not sure that what my ipconfig is showing is supposed to be there. At first I googled and learned about ipv6 addresses because i found that weird but i think that checks out fine. I then googled about the weird numbers and letters in my default gateway and came up empty. Is there a reason thats there?
View 3 Replies
View Related
Jan 23, 2012
I have seen some discussion in the forums regarding user defined groups being empty in LMS 4.0 but not 4.1. I am having this issue in 4.1. Under User Defined groups, I have created 2 logical groups named "Physical Location" and "Switches". These do not contain any actual devices, they are just containers for other groups. Under the Physical Location logical group I have created 2 other groups, Acuna and Hampton. Under the Switches group I have also created 2 groups, HDM and HHC. The criterion for the Physical Location group is based on the first 3 characters of the hostname:
Device.System.Name startswith "hdm"
The criterion for the Switches group is based on the value of a user defined field, Admin_responsibility:
Device.Admin_responsibility equals "HDM"
The Physical Location groups work - the Switches group does not. Both the HDM and the HHC group should contain several devices. The HDM group contains 2, the HHC contains none. If I edit the groups and click "next" until I get to step 3, Membership: Edit, the "objects matching criteria" list is fully populated - it contains the devices that it should contain. However, after I click "Finish" and go to Inventory => Add / Import / Manage Devices there is no change in group membership - the HDM group contains 2 devices and the HHC group contains none.
View 4 Replies
View Related
Jun 13, 2012
After an upgrade from LMS 4.2 to 4.2.1 Legacy menu is completely empty. Is it a bug? If it's empty, how to get to some of DFM options (like rediscovery, discovery status etc.) They seem not present in "Site map".
View 4 Replies
View Related
