Cisco AAA/Identity/Nac :: 3845 - Enable Secret Password Missing In Configuration
Jun 23, 2011
Recently I came across a router (Cisco 3845, IOS 12.4) configured for TACACS, one local username and an enable password. Going through the configuration I noticed the router didn't have an enable secret password which I thought was strange. The TACACS config is below, comments regarding the TACACS config and the consequences of not having an enable secret or if there is a need for one.
aaa authentication login default group tacacs+ aaa authentication login no_tacacs enable aaa authorization exec default group tacacs+ aaa authorization commands 1 default group tacacs+ aaa authorization commands 15 default group tacacs+ aaa accounting exec default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting network default start-stop group tacacs+
View 7 Replies
ADVERTISEMENT
Dec 7, 2010
I have created a username and password with command username Cisco privilege 15 pass Cisco. when i telnet to switch it ask me for enable secret password?????? though i have specified a privilege level 15 to a user.Switch is authenticating with ACS and i have specified a privilege 15 to a specific user on ACS.The IOS is c2960-lanbasek9-mz.122-55.SE.
View 14 Replies
View Related
Jan 28, 2013
How to configure authentication of enable password using acs 5.3. I have installed acs 5.3 and created user and gave relevant passwords. Following config is done on router
aaa new-model
aaa authentication login default group tacacs+ local
aaa authen enable default group tacacs+ enable
tacacs-server host x.x.x.x key xxxxx
Now when I telnet router, i can authenticate username/pass with acs5.3 but when i try to enter enable command and give password, it gives me error in authentication. What is the process of configuring enable passwords?
View 6 Replies
View Related
Dec 21, 2012
I have migrated my ACS data from 4.1 to 5.1 and everything is working fine to test the connection I have configured a switch to get the authentication from the new Tacacs server, using my old username and password..i got in perfectly but when the switch asked my for enable which is the same password, it refused the password.(I have unchecked the <use a different password for enable> option) I deleted my switch from the Tacacs to enter locally, I went in with no problems..i thought that the problem may be from the old configuration.so I created a new username and password to check, and the problem still exist.
View 2 Replies
View Related
Dec 29, 2011
Changed my AD password and now i cannot get into the enable side of the cisco switches on our network (we have no routers).Looking on the logs for the ACS v4.2 I can see the following -
On TACACS+ Accounting you can see the connections which have worked - it the initial tty connections -
When i look in the failed attempts i see the following Auth failed - External DB user invalid or bad password or on another occasion internal error or EAP-TLS or PEAP authentication failed due to unknown CAcertificate during SSL handshake.
View 1 Replies
View Related
Jul 10, 2012
I have been experimenting with acs 4.2 and a cisco asa 5510. I have managed to authenticate the ASA users with my tacacs server. The user "test" is authenticated with the tacacs server, and can log in. But the enable password is wrong, because i dont know where to place it in the tacacs server.
Now my question is, where do i set my enable password when authenticatig with tacacs+. And for this i mean in the acs 4.2, i know how to do it on the asa.
View 4 Replies
View Related
Oct 12, 2011
ACS and i would like to know how to enable the "Configuration Audit" for someone login to my network devices using their ACS login and i can monitor what they did on it.
ACS Version : 5.2.0.26
View 6 Replies
View Related
May 9, 2013
We currently have a distributed PR and DR ACS 5.3 setup, set up with tacacs devices and one radius device.The radius device is used Opnet's AppResponse Xpert Admin. We are trying to intergrate AppResponse Xpert Admin with ACS.
The GUI for AppResponse Xpert Admin is asking for the radius server ip address - i.e our ACS , radius port - i.e 1812 and "secret" - I'm guessing this means the shared secret of the actual ACS itself (not the shared secret used by network devices) .
On our ACS 4.2 systems we have a field for a shared secret regarding the ACS server itself (to authorise replication?).
Using the search function for "Shared Secret" in pdf "User Guide for Cisco Secure Access Conrol System 5.3" has only found references to setting one for network devices and not a field for the ACS itself.Is a ACS server shared secret still relevant for the ACS 5.x system?
View 2 Replies
View Related
Jan 24, 2013
how do I setup an enable password for an ASA 5510? At the moment its setup to authenticate using RADIUS (which I'd like to keep doing) but I need to setup an enable mode password.
View 3 Replies
View Related
Jul 26, 2012
I am trying to migrate an ACS 4.1.1(24) using the migraton tool to ACS 5.2. The tool is working OK. It migrates the users, groups, NDG, etc. and the reports are showing no errors.
The problem is with the Enable password of the users. The users in the ACS 4 have the TACACS+ Enable Password configured, but after the migration it appears empty in the ACS 5.
View 3 Replies
View Related
May 24, 2012
I am using ACS5.2 I want user to access the device with all necessary command like show run/ver/int/log… I try to set user privilege using Shell from 1 to 10 but show run doesn't work.
View 15 Replies
View Related
Dec 31, 2011
I have two routers 3845 and HSRP is configured properly. Currently we are using default route to ISP and right now I want to use BGP as I have 3 Public pools and that's why I want to advertise in the public network. How I can configure that in my Router.
View 1 Replies
View Related
Dec 13, 2011
I have a 3845 that I am trying to configure but it won't save. It doesn't matter what i do (write mem, copy run start). No matter what, if I reload it, it wipes the config. Am I missing something, or is it just a bad memory? I don't get any errors when I save, it looks like it takes, but no dice.
View 2 Replies
View Related
Oct 20, 2011
we have 3845 routers with internet service providers connected on it.we have configured router bgp 2.xxx as our AS. What is the concept behind router bgp 2.xxx with ISP ?
View 4 Replies
View Related
Sep 19, 2011
I have a 50 Mbps metro ethernet connection between our main office, and our collocation site, where we store web servers, DR equipment and VPN access gateways. I have two Cisco 3845 ISR's connected to the metro E circuit. The interfaces on each router are configured as 100/full as requested by my ISP. We are connected via ethernet to a fiber media converter.
As I understand, CBFWQ will not kick in until congestion occurs on an interface. I also understand that the bandwidth command on an interface is to provide bandwidth related information to upper level protocols (like EIGRP, etc).
My question is that since the interface where I have CBWFQ configured on is at 100 Mbps, but my circuit is at 50Mbps, how can I get my routers to kick CBWFQ in when traffic demand exceeds 50Mbps+? Does the bandwidth command on the interface control that as well?
View 6 Replies
View Related
Sep 13, 2012
I have a cisco 3845 running 12.4(15)T10.
I can send a POD and disconnect my session. But when I try to send a COA, I always get back the same error. Here is the debug log:
*Sep 14 17:25:16.017: COA: 172.16.XX.XX request queued
*Sep 14 17:25:16.017: ++++++ CoA Attribute List ++++++
*Sep 14 17:25:16.017: 66F2DBEC 0 00000009 string-session-id(337) 8 0000007F
*Sep 14 17:25:16.017: 670B3394 0 00000009 sub-qos-policy-out(346) 11 POLICE-TEST
[code]....
View 10 Replies
View Related
Feb 27, 2012
When I upgraded my cisco 3750 ME from c3750me-i5k91-mz.122-46.SE to c3750me-i5k91-mz.122-58.SE2.bin all commands for radius disappeared? However, there are a lot of commands to ldap which was missing in the previous version. Seems as if the radius has disappeared and been replaced by ldap?
View 1 Replies
View Related
Apr 12, 2012
i have two Cisco 3845 routers connected to 3 different ISPs ,
-ISP 1 with link bandwidth of 24 Mbps
-ISP 2 with link bandwidth of 16 Mbps
-ISP 3 with link bandwidth of 8 Mbps
i have a public AS from a ripe along with 2 Class Address (Public independent)
1) what is the best design and configuration to utilize the 3 Links ,outbound and inbound (since we have our public address along with AS) my boss told me,all These 3 links must be active
2)what is the recommended design and configuration for the whole topology , pls share the best gotchas
3)what is the need of iBGP?why we need it when we run bgp?
View 10 Replies
View Related
Sep 25, 2012
This does seem correct. I had 2 rules and now they are gone.
View 2 Replies
View Related
Sep 30, 2012
I have 3945 Router and I have bought NM-16ESW-1G1G card. After installed the card no interface shows on show ip interface brief or Show run command . When i end the switch module then i have found the interface. previously i have worked on NM-16ESW card on my 3845 router where interface card interface shows in my show run and interface command and i have assign IP and crypto map fro my Branch.
So my question is NM-16ESW-1G1G is different then NM-16ESW card ? if not then why i can not find interface. if Different then i have need to configure interfcae by enter the switch module seperately ?
View 7 Replies
View Related
Feb 28, 2012
I got a config of a SoHo96 router, which has an IPSec Tunnel configured. Now I need to understand what's configured there and it seems that the parameters that aren't being explicitly set, do not show up in the config. Thus, I have no clue about DH Groups, Keylife times and other nice things.How do I reveal the "missing" configuration items?
View 3 Replies
View Related
Jun 16, 2012
I am trying to chang IP configuraton for my Cisco 1140 AP, but in CLI I dont have a "config" command (i used en before to enable administrative mode)
Bellow are the commands I can see:
AP7081.0506.d54a#?
Exec commands:
cd Change current directory
[Code].....
View 5 Replies
View Related
Sep 25, 2012
We currently have an issue with our main ISE. When logged in using the admin account (member of superadmin group) we no longer see the Profiling button/menu and also missing oter options in the GUI. On another standalone ISE we do see al those options?
Both are running on the same software version 1.1.1.268.We are using ISE 3395-K9 appliances
View 1 Replies
View Related
Apr 4, 2013
Environment :AP 2602, WLC 5508 V7.4, ISE 1.1.2, Prime Infras 1.2
For a specific SSID, we use MAC address as 1 of the conditions to authorize access only for the company-owned mobiles (smartphones and tablets), the other condition being, for the mobile, to present a valid AD user/password;this way, the so-called BYODs are rejected since this is the rule within this company ;The difficulty with this approach is the fact that there is no way in ISE Identities Endpoints nor Groups to associate a user-friendly name to the MAC address of the mobiles, which makes very tedious some actions such as a search in the ISE authentication Log based on the MAC address value itself;the question is just to know if it is planned to add a new field in Identities Endpoints definition that would allow to associate a user-friendly name to a MAC address, for future ISE versions,
View 1 Replies
View Related
Jun 17, 2012
After a abrupt power cylce of 6509 switch, vlan configuration got missing. Switch has not crashed.
View 4 Replies
View Related
Feb 6, 2011
I have a problem trying to export logs to the Cisco ACS View from my ACS 4.2In the document [URL] Cisco states that one of the mandatory attributes for export to work is "Network Access Profile Name" under TACACS+ Accounting (under ACS 4.2 System configuration -> Logging settings). Well, I don't have this mandatory attribute listed in ACS under TACACS+ accounting log configuration. I tried to ignore this attribute, but then ACS View complains about null value for the attribute mentioned above.Is this some bug in ACS View or ACS or maybe I simply missing something?
View 1 Replies
View Related
Jan 21, 2012
I have several SG300-10 and SF302-08P switches running with L2-mode, and after I upgraded their firmware to 1.1.2.0, they began to record the following logs every one hour.
- Severity: Warning
- Description: %COPY-W-TRAP: The mirror-config file is illegal due to failure of previous copy operation/s to mirror-config.Also I found that I didn't see the Mirror Configuration file on the Configuration File Table in the Configuration Files Properties page.
View 6 Replies
View Related
May 9, 2012
I need to create a Cisco VPN Client connection: I am following the cisco vpn client link and I don't have the command crypto isakmep client configuration group XXXXX
[URL]
This is what I get: crypto isakmp client configuration ? address-pool Set network address for client
This is my show version, if there is an IOS that will work:
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IK9S-M), Version 12.2(17a), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
[Code].....
View 1 Replies
View Related
Jun 22, 2012
I have on 3750X stack with a few vlan
--------------------------------------------------
vvlansw06# sh vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/6, Gi1/0/10, Gi2/0/5
Gi2/0/6, Gi2/0/37
10 LAN_10 active Gi1/0/16, Gi1/0/17, Gi1/0/19
[code]....
where are the others vlan?
View 3 Replies
View Related
Sep 12, 2011
configuring AAA on 1841 router, initially it authenticates me well using my TACAS+ login. but though i have configured enable password in router, router directly puts me in privilage mod without asking enable password .
my configs for AAA as below
aaa authentication login ACS group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec ACS group tacacs+ local
aaa authorization commands 0 ACS group tacacs+ local
aaa authorization commands 15 ACS group tacacs+ local
aaa accounting commands 1 ACS start-stop group tacacs+
aaa accounting commands 15 ACS start-stop group tacacs+
View 8 Replies
View Related
Jun 24, 2011
how to enable the password on d-link di-624
View 2 Replies
View Related
Aug 3, 2012
I need to recover switch enable password, i have already configured AAA also, when i am tryig to follow below proceedure finally saying Authorization failed. how can i recover enable password,If I try to recover password like this description says [URL]
Step 1 Connect a terminal or PC with terminal-emulation software to the switch console port.
Step 2 Set the line speed on the emulation software to 9600 baud.
Step 3 Power off the switch. Reconnect the power cord to the switch and, within 15 seconds, press the Mode button while the System LED is still flashing green.
Base ethernet MAC Address: 00:0x:xx:xx:xx:xx
Xmodem file system is available.
The password-recovery mechanism is enabled.
The system has been interrupted prior to initializing the flash filesystem. The following commands will initialize the flash filesystem, and finish loading the operating system software:
flash_init
load_helper
boot
[code]....
View 1 Replies
View Related
Aug 29, 2012
I have a cisco 1801 router that is not prompting for enable password.After loging into router thru telnet it puts direct into privelege mode without promting for enable password.Here is the configuration:
User Access Verification
Username: adminPassword:xxxxx#sh runBuilding configuration...
Current configuration : 2132 bytes!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname xxxxxx!boot-start-markerboot-end-marker!enable password 7 022F0A5D0208063555692B!no aaa new-model!!dot11 syslog!!ip cefno ip dhcp use vrf connectedip dhcp excluded-address 192.168.0.1 192.168.0.10!ip dhcp pool LAN import all network 192.168.0.0 255.255.255.0 default-router 192.168.0.1!!!multilink bundle-name authenticated!!username admin privilege 15 password 7 112017031E1C02181Dusername user privilege 3 password 7 091D1C5A100B111B05051033!!archivelog config hidekeys!!!!!interface ATM0no ip addressno atm ilmi-keepalivepvc xxxxx
[code].....
View 7 Replies
View Related