Cisco AAA/Identity/Nac :: 8.4 (2) / ASA System Context Authentication Enable?
Jan 12, 2012
We have ASA configured in multi context mode, with software 8.4(2) configured for AAA Configuration is admin context as follows:
aaa-server TAC protocol tacacs+
aaa-server TAC (management) host 10.162.2.201
key *****
aaa authentication enable console TAC LOCAL
aaa authentication http console TAC LOCAL
aaa authentication serial console TAC LOCAL
aaa authentication ssh console TAC LOCAL
Because of multiple context, after logging in we enter System context. Console port authentication is working fine except access to privileged mode while connecting over console port. After issuing "enable" command ASA accepts only configured enable secret in system context and changes user ID to enable_15, so we are unable to do user-level command authorization and accounting.It seems that ASA in system context is not aware of any AAA configuration, and there isn't any command to configure AAA in system context.Is there any way to configure enable authentication over AAA in system context?
View 3 Replies
ADVERTISEMENT
Feb 8, 2012
how to Config the ACS 4.2 server runs in TACACS + mode (users accounts configured the ACS) mode to authenticate enable mode password on the asa using the same AD account?
View 10 Replies
View Related
Jul 4, 2012
It´s possible to enable unconditional machine authentication in ACS 5.3.
View 1 Replies
View Related
Dec 5, 2012
I successfully authenticate through ACS to my Identity Store, but only get dropped into a non-enable prompt: ciscoasa> How can I get an Authenticated user directly into enable mode?
View 3 Replies
View Related
Nov 7, 2011
We have an active-active pair of cisco ASA5580-20 with software version 8.4(1)9. There are 8 contexts on it (including admin and system). 1 context is active on Primary node and other 7 are active on Secondary node. User traffic is going through this 1 context (2 interfaces - inside to users, outside to internet) and there are peaks to 1.16M concurrent connections, max bandwidth is 1.25Gbps. CPU usage for this context in peak hours is 63%, but we noticed that when we run "show cpu usage context all" from system it shows that system context is using 25% of CPU and "Total CPU utilization" (form output of show cpu detailed - on system context) is 88% which is bad. In non peak hours - user context use 33.6% CPU, system use 14.5%, total CPU usage is 50.5% So, is it normal this cpu utilization on system context (system on Primary node)?
View 1 Replies
View Related
May 7, 2013
Is it possible to use 1 or 2 of the 4 gigabit ethernet ports from one ACE straight into the other ACE for redundancy? So ACE_01 gig0/4 to ACE_02 gig0/4.If so, is it a case of just having the layer 3 config instead of trunking etc..Also - is it possible to create a context within the same vlan as the Admin context?
View 4 Replies
View Related
Jul 1, 2012
On my production environment I have a firewall with already two contexts defined (15% of CPU used) and I want to add a new one.
This context is going to use the same interfaces as the others contexts. When I will enable the context, can I have some sort of repercussion on these two context ?
View 3 Replies
View Related
Jan 13, 2013
I have two ASA 5510 in an Active/Active failover configuration; On the first ASA I have a license for five security contexts, on the second one I have the default two. On the pair I configured seven security contexts and everything works as expected; so far so good. Let's suppose now that the first ASA (the one with the license for 5 contexts) goes up in smoke; all the contexts migrate to the surviving firewall and life is still good. But what happens if, for some reason, I need to reboot the second ASA before the first one is repaired? My guess is that it will come up with just its own license for two contexts and that I will not be able to operate all my virtual firewalls.
View 2 Replies
View Related
Feb 24, 2013
We would like to enable IS-IS HMAC-MD5 authentication on an production network for LSP authentication including LSP, CSNP and PSNP. The problem is that when we are applying the command "authentication mode md5" under the isis process there is authentications failure and the router loses all routes from routing table. Is there any way to enable authentication without the router losing the routing or to "delay" the authentication until all routers are configured.
key chain IS-IS
key 1
key-string xxx
[Code]....
View 3 Replies
View Related
Aug 2, 2012
I have three Autonomous AP´s in a small office running voice applications, all of them are connected to the same infrastructure switch and they have same configuration, voice Vlan is configure to open authentication. I have two models of AP 1252 and 1262 and I paste Radio configuration below.
First issue: During calls users are facing problems when roaming between AP´s, and eventually calls are dropped.
Second issue: Sometimes one of these AP´s(1252) lose all transmit signal and when return I got authentication error on log.
View 4 Replies
View Related
Jan 16, 2012
I configured before ACS v4.2 to authenticate network devices using internal users at first, and if the user is not found use AD list users. But with v5.3 I have some problems doing this, on identity policies I use rule based result selection option, I configured 2 polices for Identity source, one for Internal Users and other policy for AD user, but it only works with the first policy, internal users or AD, but works only for the first policy identity. how to do that, if the user is not found on first policy, continue to the next policy.
View 7 Replies
View Related
Jul 3, 2011
I need a specify users to allow access to particular devices and give privilege only for show command or show run. Here is how I tried to configured.
1. Configured two seperate Shell Profile and Command set with privilege level 4-5 and allowing only show run command
2. create seperate service selection rule with adding the require NDG and protocol TACACS and maching service "RestrictAccess"
3. In the RestrictAccess Service I have following configured; Identity: internal users, Group Mapping to a particular group where the user exists, authorization: matching the above created identity group, NDG, shell profile, command sets
All the steps are attached in the .doc file. However when I tried with the particular user he is able to access everything and he is not hitting the correct access rule.
View 6 Replies
View Related
Jul 15, 2011
I've got a weird problem that I can't figure out. I've de-authorized the switch in the RADIUS server to force an ERROR status to test the backup entries in the AAA authentication method list. However, after I do that and try to log in (through ssh), it just prompts me for my username's password and not the enable password. Here's the debug output:
1d02h: RADIUS: Marking server xxx.xxx.xxx.xxx:1812,1813 dead
1d02h: RADIUS: Tried all servers.
1d02h: RADIUS: No valid server found. Trying any viable server
1d02h: RADIUS: Tried all servers.
1d02h: RADIUS: No response for id 10
[code]...
View 14 Replies
View Related
Mar 17, 2012
I've got a strange problem here. In the office, my OEAP 600 can join WLC if there is no MAC authentication. When i enable MAC authentication at WLC, AP will fail to register. However, I try it at home and it works with both MAC authentication enable or disable. I suspect it is because of firewall in my office, but there shouldn't have any different in discovery and joining procedure for AP with MAC authentication enable or disable.
View 18 Replies
View Related
Sep 11, 2012
Can we enable ssh on 3500 /3600 APs along with use radius for login authentication? idea here is to that ssh will provide another method to access the AP for troubleshooting purposes.I know with autonomous mode APs this should not be an issue but not sure with lightweight APs.
View 2 Replies
View Related
Apr 19, 2012
On Cisco ACS 5.2.0.26 Patch 10, I got this system alarm:Incremental backup is not configured. Configuring incremental backup is necessary to make the database purge successful. This will be useful to avoid disk space issues. View database Size is 2.92GB and size it occupies on the harddisk is 2.91GB
In "Monitoring Configuration > System Operations > Data Management > Removal and Backup", we got this information:
Database Purging:If database size exceeds 120 GB, a backup (if configured) and purge will be initiated. If database size exceeds 150 GB, a purge will be initiated.
Could View database size reach 120 GB ?I want to know how long will Cisco ACS works without problem and if I need to hurry to configure purge.
View 2 Replies
View Related
Jun 4, 2011
I have created internal user on internal identiy store --> users with password & enable password , Similarly i have enabled max privilige level 15 under policy elements , authorisation & permission ,Device administration , shell profile .But i am unable to login into device using enable password , I am finding following error on my logg report
Failuire reason : 13029 Requested privilige level is too high .
View 3 Replies
View Related
Jun 6, 2011
I am runing ACS 4.2 on Windows 2003 and for some reasons I need to rename the server name?
View 1 Replies
View Related
Jan 28, 2013
How to configure authentication of enable password using acs 5.3. I have installed acs 5.3 and created user and gave relevant passwords. Following config is done on router
aaa new-model
aaa authentication login default group tacacs+ local
aaa authen enable default group tacacs+ enable
tacacs-server host x.x.x.x key xxxxx
Now when I telnet router, i can authenticate username/pass with acs5.3 but when i try to enter enable command and give password, it gives me error in authentication. What is the process of configuring enable passwords?
View 6 Replies
View Related
Feb 28, 2013
We are using ACS 5.3 with two servers in a distributed solution.All logs are collected on primary server so when this server fails all logs are lost.How can I enable log on secondary server also?
View 2 Replies
View Related
Oct 12, 2011
ACS and i would like to know how to enable the "Configuration Audit" for someone login to my network devices using their ACS login and i can monitor what they did on it.
ACS Version : 5.2.0.26
View 6 Replies
View Related
Dec 21, 2012
I have migrated my ACS data from 4.1 to 5.1 and everything is working fine to test the connection I have configured a switch to get the authentication from the new Tacacs server, using my old username and password..i got in perfectly but when the switch asked my for enable which is the same password, it refused the password.(I have unchecked the <use a different password for enable> option) I deleted my switch from the Tacacs to enter locally, I went in with no problems..i thought that the problem may be from the old configuration.so I created a new username and password to check, and the problem still exist.
View 2 Replies
View Related
Mar 11, 2013
Would like to check out is it possible binding Cisco secure ACS 5.x to support router/switch ios feature view - superview and parser command
Busines objective is assigning administrative roles, with different role based CLI access, using ACS5.X as backend server. a. Admin (allow all) b. network monitor (privlege # 7, enable view that can doing various show command and configure) c. support (privlege #1, read only)
View 2 Replies
View Related
Dec 29, 2011
Changed my AD password and now i cannot get into the enable side of the cisco switches on our network (we have no routers).Looking on the logs for the ACS v4.2 I can see the following -
On TACACS+ Accounting you can see the connections which have worked - it the initial tty connections -
When i look in the failed attempts i see the following Auth failed - External DB user invalid or bad password or on another occasion internal error or EAP-TLS or PEAP authentication failed due to unknown CAcertificate during SSL handshake.
View 1 Replies
View Related
Apr 11, 2013
I am trying to get users in the external identity store (AD) to be dropped directly into enable mode after being authenticated, since I don't know of a way to set an enable password for users in an external identity store. I think it has something to do with shell attributes but I'm not realy sure.
So here's what I tried.Linking identity group to external group and provide full command priviliges - enable still didn't work Creating duplicate users in the internal identity store and setting the password type field to AD1 - That gives me the ability to get to the enable password prompt hit enter on the blank promt then prompts for Old and new passwords but fails everytime with an Error in Authentication.
View 8 Replies
View Related
Jul 10, 2012
I have been experimenting with acs 4.2 and a cisco asa 5510. I have managed to authenticate the ASA users with my tacacs server. The user "test" is authenticated with the tacacs server, and can log in. But the enable password is wrong, because i dont know where to place it in the tacacs server.
Now my question is, where do i set my enable password when authenticatig with tacacs+. And for this i mean in the acs 4.2, i know how to do it on the asa.
View 4 Replies
View Related
Apr 7, 2011
When I launch Monitoring & Report Viewer and select one of the report (TACACS authorization for example) I want to filter the search with Interactive Viewer, but I can't cause all options are grayed. I've heared that some flash is needed but I've got plugins installed and nothing changed.
Can I run in in demo version? cause I've read that there is an add-on license which "Add-on licenses are available to support deployments that are larger than 500 devices (AAA clients) and to support advanced monitoring, reporting and troubleshooting functionality"
View 5 Replies
View Related
Feb 2, 2012
In order to restrict access to websites on our internal network, would we be able to put an ASA in front of the web server and force users to authenticate through the ASA and, once authenticated, allow only port 80 or 443 traffic for that use? The ASA would query the ACS 5.1 server for authentication/authorization using AD as the identity store. Is this even possible with TACACS?
View 1 Replies
View Related
Apr 1, 2012
My customer has a large installed base of MACs, all connected via controller-based (5508) WLAN. He wants to grant access to the network based on the device's mac addresses and move the WLAN-clients to a specific VLAN.I added all devices with their mac addresses to the ACS internal identity store for hosts.According to the following message the client sends the user-login credentials (chegger) within the RADIUS-request instead of the clients mac address and of course it has to fail. After many configuration changes, I ended up always with the same result.
View 2 Replies
View Related
Jun 13, 2012
I have question on EAP-TLS with ACS 5.2. If I would like to implement the EAP-TLS with Microsoft CA, how will the machine and user authentication take place? Understand that the cert are required on both client and server end, but is this certificate ties to the machine or ties to individual user?
If ties to user, and I have a shared PC which login by few users, is that mean every user account will have their own certificates?
And every individual user will have to manually get the cert from CA? is there any other method as my environment has more than 3000 PCs.
And also if it ties to user, all user can get their cert from CA with their AD login name and password, if they bring in their own device and try to get the cert from CA, they will be able to successfully install the cert into their device right?
View 7 Replies
View Related
Jan 22, 2012
I have a new ACS 5.3 installation which I have joined to our AD Domain and added the directory groups into. I have also added all our devices into ACS and their groups etc but I am still only able to authenticate on the our switches with an internal ACS account, when I try with an external AD account the log shows the following error "Subject not found in the applicable identity Store (s)"
View 1 Replies
View Related
Sep 20, 2012
We`re using a WLC 5508 with SW 7.2.103.0.The most things are working fine, but i have a problem with the web auth.
Setup:
- Max Concurrent Logins for a user name is set to 1
- Max-Login Ignore Identity Response is set to enable
- Web Authentication Type is set to customized
The Problem:
- the user "test" is logged in at device1 (working), the same user "test" try to login at device 2 (is not working, fine!) -> login is not accepted, WLC redirects to the INTERNAL Web Login Page.The problem is the redirect to the internal web login page after failed login. If i try to login with a not existing user, the redirect is working perfect to the customized web login.
View 4 Replies
View Related
Nov 5, 2011
provide a sample configuration to use Cisco Secure ACS 4.2 to enable command authorization using TACACS.
View 8 Replies
View Related
