Cisco AAA/Identity/Nac :: 3750 AAA Authentication Banners And Banner Logins
Aug 10, 2009
I'm experiencing some problems with AAA authentication banners and banner logins.I'm trying to use spaces and empty lines, but when login, all the lines are after each other, no empty lines, no spaces.The problem appears on a 3750 with IOS version 12.2(5)SE2.
Is there a way to put a login banner on the ACS admin web page? Either display it directly on the web page or do a redirect to a banner page? Can I edit the admin pages directly or does ACS provide a mechanism to add this type of feature?
I have a customer who used to own a 3750 with a older version of IOS. The switch he had used a three year old version of IOS which allowed him to browse to the switch IP and manage it via HTTP without entering a password at all. Now that he has a replacement switch with a new ver of IOS (since the previous switch died). We slapped the config on from the old switch but no matter what we do (understanding that new http aaa authentication commands were added) we cant get this thing to let him in without prompting him for a password. I understand this was an insecure config to begin with so I shouldn't be advocating using it in the first place, but this is what the customer wants.Basically what I'm trying to figure out is are we banging our heads into the wall for nothing as the "ip http server" will not allow an authentication method of "none" anyway? None of the offical documentation I have read for the http aaa authentication cmds shows this as an example nor have I found any blog posts on how to do it ether. Perhaps Cisco removed this by design.
Here is the config:
aaa new model aaa authentication login default local aaa authentication enable default none aaa authentication login none none ip http server ip http authentication aaa login-authentication none
We are setting up a new office and I am trying to get RADIUS setup for authentication to my switches and routers. Currently I am working on a 3750 running IOS 15 and getting hung on what I think on something small. I have attached my Microsoft NPS Network Policy. Below is my IOS config:
aaa group server radius corp-radius server 10.15.10.20 auth-port 1812 acct-port 1813 ! aaa authentication login default group corp-radius local aaa authentication login radius-localfallback group corp-radius enable aaa authorization exec default group radius
We have a Catalyst 3750 switch that failed over to local login after the Tacacs authentication stopped working. I went through the configuration settings and everything appears to be identical to another switch in this same building.
I configured before ACS v4.2 to authenticate network devices using internal users at first, and if the user is not found use AD list users. But with v5.3 I have some problems doing this, on identity policies I use rule based result selection option, I configured 2 polices for Identity source, one for Internal Users and other policy for AD user, but it only works with the first policy, internal users or AD, but works only for the first policy identity. how to do that, if the user is not found on first policy, continue to the next policy.
I need a specify users to allow access to particular devices and give privilege only for show command or show run. Here is how I tried to configured.
1. Configured two seperate Shell Profile and Command set with privilege level 4-5 and allowing only show run command
2. create seperate service selection rule with adding the require NDG and protocol TACACS and maching service "RestrictAccess"
3. In the RestrictAccess Service I have following configured; Identity: internal users, Group Mapping to a particular group where the user exists, authorization: matching the above created identity group, NDG, shell profile, command sets
All the steps are attached in the .doc file. However when I tried with the particular user he is able to access everything and he is not hitting the correct access rule.
Trying to apply NTP authentication to 3750 switches (layer-2 WS-C3750-24P switches) but they don't wont to work. Applying the same config to any router or 4500/6500 chassis, and NTP authenticates straight away. NTP without authentication works fine on 3750s as well...
I have a CISCO RV 120W router. I have set it up with a static IP address from Verizon. Internet can be accessed.I just want IPSec passthrough for some people who can connect with Nortel contivity client to the company RSA server. I can make only one connection. The second connection fails with 'banner text' response issues. One connection always works. The router has the latest firmware. I have enabled IPsec passthru.
I upgraded my 6509-Es (sup720s) to 122-33.SXJ3 and now the banner command can not end when I include the ^ at the end. It seems to be stuck in text edit mode IE and usually hitting enter following that brings me back to command but it doesn't do anything but bring me to the next line.
I'm having trouble with a Cisco Catalyst 2950 Series Switch where by I'm following the procedure from Cisco's web site to remove the Banner and login information, url..
Each command is being accepted by the switch from following the information given within the help sheet above,the problem i have now is when i turn the power off then turn the switch back on I'm still getting the banner and login information even though i have follwed Cisco's help correctly.
I have an ASA 5505 that I log into and currently only need a password to log onto the device. How do I set it up so a username is required as well?Another user needs to access the device. How would I set that up so they have to user their own credentials? I tried username apssword priv command and it does not work.
Each person would have their own Windows User Account name, with differentprivileges.I don't know what software could do this.The computer being connected to would be Windows 7, and there is no special network equipment besides a consumer router.This is a very small business and keeping costs under control is important
I configured dot1x port-authentication on a 3750. The switch sends out a request to the radius server. The radius server sends a answer-packet to the switch udp port 21645 but it seems the switch discards the packet or something like that. The radius server gets the answer "Destination unreachable, Port Unreachable"
How do I setup remote login that would allow 3 or 4 people to login to the same computer. Each person would have their own Windows User Account name, with different privileges.I don't know what software could do this. The computer being connected to would be Windows 7, and there is no special network equipment besides a consumer router.his is a very small business and keeping costs under control is important.
In order to restrict access to websites on our internal network, would we be able to put an ASA in front of the web server and force users to authenticate through the ASA and, once authenticated, allow only port 80 or 443 traffic for that use? The ASA would query the ACS 5.1 server for authentication/authorization using AD as the identity store. Is this even possible with TACACS?
My customer has a large installed base of MACs, all connected via controller-based (5508) WLAN. He wants to grant access to the network based on the device's mac addresses and move the WLAN-clients to a specific VLAN.I added all devices with their mac addresses to the ACS internal identity store for hosts.According to the following message the client sends the user-login credentials (chegger) within the RADIUS-request instead of the clients mac address and of course it has to fail. After many configuration changes, I ended up always with the same result.
I have question on EAP-TLS with ACS 5.2. If I would like to implement the EAP-TLS with Microsoft CA, how will the machine and user authentication take place? Understand that the cert are required on both client and server end, but is this certificate ties to the machine or ties to individual user?
If ties to user, and I have a shared PC which login by few users, is that mean every user account will have their own certificates?
And every individual user will have to manually get the cert from CA? is there any other method as my environment has more than 3000 PCs.
And also if it ties to user, all user can get their cert from CA with their AD login name and password, if they bring in their own device and try to get the cert from CA, they will be able to successfully install the cert into their device right?
I have a new ACS 5.3 installation which I have joined to our AD Domain and added the directory groups into. I have also added all our devices into ACS and their groups etc but I am still only able to authenticate on the our switches with an internal ACS account, when I try with an external AD account the log shows the following error "Subject not found in the applicable identity Store (s)"
Basically I want to query Radius for AD group membership and apply a set of Bookmarks based on that group. I would use LDAP, but we have two domains and I need both to be available for login, so I am using ACS 5.3 as a proxy. I saw that using attribute 4242 for DAP for group membership, but what is the Group syntax?
we have a setup of about 14 WS-C2960-48FPS-L all running from a 3750G stack.What i want to be able to do is create dedicated accounts so that local IT admins can tag ports via CNA without calling me everytime something needs to change. How and where can i create these on CNA? Is it as simple as using the Users and Passwords options?What privledge level should i assign to these accounts so that it will give the least amount of previledge required to tag ports. I dont want them being able to change much else.
In our environment we've got a Cisco ACS-Server providing Tacacs+ (mainly for access to routers/switches) and Radius (for 802.1x-validating end hosts) services.
Aside from our IOS-based switches we've got a SG200-18 acting as a workgroup switch.
I'd like to set up user authentication on the SG200 (i.e. authentication of users accessing the switch) as well as 802.1x validation of end hosts via our existing Cisco ACS 5.x.
Unfortunately the docs for the SG200 in the chapter "Configuring RADIUS Parameters" only mentions "...For the RADIUS server to grant access to the web-based switch configuration utility, the RADIUS server must return cisco-avpair = shell:priv-lvl=15.... - no examples etc.
Since the WEB-based SG200-interface is absolutely new to me I'm looking for some hints/examples on how to set up the Cisco ACS Radius Server in order to interact with the SG200.
i tried to create a customized web-authentication page that will re-direct any user to the web-page once they are connected to the network.
The problem is, i just cant attach/upload the image of the logo into the customized web-page (welcome/login page).Been researching about it, found and tried some clue bout it on cisco documentation, but still can't solve the problem.
I have been trying to get our IPS (ASA-SSM-10 and 4260) to authenticate with Cisco Radius ACS 5.2 and they are not working. However, I was able to get them working with Microsoft Radius. Below is the logs from the IPS:
If laptop/desktop goes on sleep mode or keep connected with interface configured for 802.1X for more than 12 hours it does not work or not connect to Exchange server, Cisco ISE console, office communicator..for re authentication i need to restart PC/ Laptop or unplug and replug lan cable from it!but before restarting i am able to ping all DNS, DHCP, OCS, everything..[code]
I have a Cisco ASA (8.2) setup with remote access for my users using Cisco VPN client. The authentication is passed off to my ACS 5.3 which then checks with AD. What I've done so far is create Access Policy rule where I define specifically the Location and NDG where the ASA is and then a DenyAllCommands command set. This should pass authentications just fine but this also gives those users the ability to remote connect directly into the ASA and login successfully. Even though there is a Deny Commands there I still would prefer they get Access Denied as a message. If I do a Deny Access on the ShellProfile then this stops the login authentication altogether.
We would like to enable ACS authentication to login to different routers (Cisco 881s) we got that are interconnecting with our WAN via VPN tunnels. We would like to avoid using public IP for the router to communicate and relay user/password info with the ACS server and rely on the server's private IP instead. The problem is that all the router's outside interfaces connect to the Internet using public IPs and when the router wants to communicate with the ACS server it will use its public-facing interface IP and that'll fail. We can ping the server obviously when we set the source to the internal LAN IP.
The question is is there a way to have the router communicate with ACS across the VPN tunnel using its private IP?
config being used and tested succesfully on local devices:
aaa new-model tacacs-server host 10.x.x.x single-connection key xxxxxx aaa authentication login tacacs-local group tacacs local