how to add tacacs custom attribute to ACS 4.2 for Nexus 1000V:shell:roles="network-admin admin-vdc"In the interface configuration I've added new service, service - shell, protocol - tacacs+.In the group settings I've enabled this attribute configuration. And it is not works. Default privilege level is assigned to any user with access allowed.
View 8 RepliesI want to configure RBAC for ANM 4,2 using tacacs+ and ACS 5.1 [code]
When the admin user logs in, this policy element is triggerd, but the Role is not sent back.How to configure the Custom Attribute?
I am trying add custom attributes for Juniper Netscreen TACACS+ authentication to a v5.2 ACS. The advice is to add it to the group as follows:
ervice = netscreen {
vsys = root
privilege = read-write
} I know how to add this to a version v4.x ACS
However, I do not know how to apply this to the custom attribiutes to a v5.x ACS?do I add the vsys and privilege attribute seperately or together? What should be the attribute name? netscreen? Should it be mandatory?
how do i set limit on the log file size in ACS 5.3. I had the same issue with Nexus 1000v but there is a command that enables you to set log file nane and size. it is getting bulky.
View 7 Replies View RelatedI am having an issue with authorization on the Nexus 5548. Note: The tacacs configuration has and still works correctly with all non-Nexus gear.
Authentication succeeds, and initiatial authorization passes. However, all sh and config commands fail, though AAA Autho Config-Commands .... and Commands Default Group <Grp Name), are configured.
ACS generates the following error: 13025 Command failed to match a Permit rule. The Selected Command Set is DenyAllCommands. I created an AllowAll, but am unclear how to associate this with Access Policy.
I see there is a similar post for Nexus 5000 to ACS 5.2. Identical symptoms. The supervisor crashed and switched to secondary. Is there a comparable field for ACS 4.1 that needs to have something in it? 2012 Apr 9 11:07:55 va-core02 %$ VDC-1 %$ %SYSMGR-2-SERVICE_CRASHED: Service "Tacacs Daemon" (PID 9390) hasn't caught signal 11 (core will be saved). 2012 Apr 9 11:07:55 va-core02 %$ VDC-1 %$ %SYSMGR SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG: This supervisor will temporarily remain online in order to collect show tech-support. This behavior is configurable via 'system [no] auto-collect tech-support'.
View 2 Replies View RelatedI m trying to setup a Tacacs config onto my new NEXUS 5000 series.Nevertheless the authentication doesn't work.Actually I followed the config guide but something is not working or missing.I have setup everything through VMWARE with ACS installed on a Windows server.
View 20 Replies View RelatedI am experiencing an issue where NX-OS on our 5010s is allowing both Local AND TACACS authentication concurrently. If I don't configure any aaa authorization commands, the locally logged in user has unmitigated access to the device. Once I enable aaa authroization, all commands issued by the locally logged in user are denied by ACS, but they can still log in to the device. When I comb through the logs on the ACS server, I see successful logins when TACACS credentials are used, and also the failed attempts when the locally configured credentials are used. On the switch, however, I receive "%TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond" when using locally configured credentials on the switch itself. We are running ACS v4.2.
View 6 Replies View RelatedI want to apply QoS policy on a particular VM for specified port range only. I have created following script file but that doesnt work. I mean it doesnt apply any policy on vm residing on Veth1.
config t
ip access-list acl_in
101 deny tcp any any eq 443
exit
[Code].....
I want to configure snmp-traps regarding stpx (root-inconsistency, loop-inconsistency) on a Cisco Nexus 1000V. The command "show snmp traps" lists stpx as a trap that could be configured and which is not at the moment.
MKBE1NX1# sh snmp trap
--------------------------------------------------------------------------------
Trap type Enabled
--------------------------------------------------------------------------------
entity : entity_mib_change Yes
entity : entity_module_status_change Yes
entity : entity_power_status_change Yes
[code].....
Nothing about stpx... Is there some other way to configure more traps?
Nexus1000V and I was wondering if there is a way to limit snmp access via access-list on the RO/RW community, as can be done on IOS. I can't find anything relevent on the Reference Pages
View 3 Replies View RelatedAnyone got a single VSM (albiet in HA) managing two vDS split over two ESX clusters connected to a single instance of vCenter?
View 0 Replies View RelatedAccording to the note at the bottom of a VMware KB Article "Cisco Nexus 1000V and VMware vCloud Director 1.5,"
"Note: You are must use the Cisco Virtual Network Management Center (VNMC) virtual appliance from Cisco. This is a separate products and needs to be licensed from Cisco."
Is this actually the case? I know you could use portgroup based network pools with vCD 1.0 and 1kv. Can I use the 1kv with VLAN-backed network pools in vCD 1.5 without the Virtual Network Management Center or is it required?
We have a requirement for private VLANS for DMZ hosting within one of our datacentres. I just want to query how private VLANs would work in our environment.We have physical servers connected to fex ports (2 fex per rack for each 5k) of a 5548UP switch, virtual servers using the nexus 1000v (vmware hosts connected to fex ports) Out firewalls and load balancers are connected to an upstream pair of nexus 7ks using vPCs.My question is this, ordinarily the firewall would be in a promiscuous port but as these reside on a physically separate switch will the normal vPC trunk still be sufficient or would the "switchport mode private-vlan trunk promiscuous" be required on the vPC up to the northbound 7k.As these connections are already in production I do not want to affect the existing traffic that doesn’t use private VLANs.
View 3 Replies View RelatedWe are trying to install the latest version of Nexus 1000v to ESXi5.1 and the installer application is much better than the previos one, but we are having problems with implemetation, because deploying of OVA file times out.
First attempt: Nexus-1 was successfully deployed on ESXi-1, but Nexus-2 which should be deployed on ESXi-2 returned an error: "Deploy OVF template":"Operation timed out." Second attempt: Deploying of Nexus-1 returned the same error Third attempt: The same as the first attempt.
It looks like that there is a time limit which is used for deploying OVA file and since file needs to be uploaded to ESXi it takes too long, so the installation fails. Is it possible to extend this time?
I just installed a N1K (with code 4.2(1)SV1(4a)) and I was trying to setup a private vlan.
Example:
vlan 300
name PRI-VLAN
private-vlan primary
[Code]....
I upgraded another n1k (that already had pvlan configured) to this version of code and it has the private vlan option. This was just installed yesterday so I don't have the license on it yet.
According to Cisco, Nexus 1010 can host up to (6) Virtual Service blades. I can't find out how many Virtual Supervisor Modules and Virtual Ethernet Modules that make up one Nexus 1000v switches can be supported by each Virtual Service Blades. In other words, how many Nexus 1000v switches can be created with Nexus 1010 appliance?how to configure Nexus 1000v switches with vmware. without Nexus 1010, the standalone nexus 1000v switches was configured from vCenter as an OVF. But how to configure Nexus 1000v switches with vmware where nexus switches are hosted on Nexus 1010 appliance.
View 1 Replies View RelatedHaving problem pinging from Host A on ESX1 to Host B on ESX2. Each host are assigned the same port-profile. If I put 2 host's on the same ESX machine using the same port-profile, they are able to ping each other.
n1kv-vsm# sh port-profile name xxx-prod-40port-profile xxx-prod-40 description: type: vethernet status: enabled capability l3control: no pinning control-vlan: - pinning packet-vlan: - system vlans: 1 port-group: xxxl-prod-40 max ports: 32 inherit: config attributes: switchport mode private-vlan host switchport private-vlan host-association 40 400 no shutdown evaluated config attributes: switchport mode private-vlan host switchport private-vlan host-association 40 400 no shutdown assigned interfaces: Vethernet3 Vethernet4
System-uplink profile is trunking all vlans.
I'm authenticating users against Active Directory and want to also check additionals attributes from LDAP. In ACS 5.3. it was possible to set this up via External Identity Sequence, but in ISE I don't see this possibility. I can set sequence only for authentication, but not for additional attribute retrieval.
When I set a condition in a policy that an LDAP attribute must match with some value, the attribute is not retrieved and autorization ends on default Deny Access.
We have just set up a Secure ACS 5.2 VM to provide authentication for Anyconnect VPN clients. The clients connect to an ASA 5520, which queries the ACS, which in turn queries Active Directory directly. All seemed to work OK, but I noticed it was using PAP. Following some docs, MS-CHAPv2 was enabled via the "Password-management" command. This broke the configuration and the error on the ACS was:
11309 Incorrect RADIUS MS-CHAP v2 attribute Some references suggest that the ASA and ACS should talk MSCHAPv2 without additional config, so I guess it must be the ASA config for the tunnel-group. There are additional secondary authentication and authorisation pages on ASDM, that I suspect might be necessary to use mschap.
I'm using Cisco ACS 3.3 for RADIUS. How to do I make Vendor-Specific attribute available? (Attribute number 26, format: OctetString) The online help makes reference to it, but does not tell you how to make it available.
View 9 Replies View RelatedACS 5.3 always sends the class=cacs:xyz attribute in an authentication response. How can I suppress that behaviour? The Cisco Email Security Appliance doesn't support multiple class attributes (defect 49096) and even treats guest users as administrators.
View 2 Replies View Relatedhow I can determine what attribute is coming up as 'invalid' ?Tried full debug and looked at all the logs - nothing.
View 1 Replies View RelatedI am doing 802.1X for a user on Cisco 3650 and wanted the Radius Server to return an attribute to set the Duplex setting of the port. with the correct Radius Return Attribute.
View 4 Replies View RelatedI have a working ASA 5505 that is used for remote access. It authenticates users via RADIUS (Microsoft AD using two IAS servers), it also authorises users via LDAP and it does some LDAP attribute mapping to get group membership for DAP. This is all working fine however recently I enabled IPv6 to do some testing. I have a /126 subnet on the Inside interface (maps to its equivalent /30 IPv4 subnet) and OSPFv3 running so the ASA has visibility of the internal IPv6 networks. DNS client is enabled in the ASA and all the authentication servers are entered as hostnames. The two RADIUS servers only have A records and the two LDAP servers (Windows DC's) have both A and AAAA records. My plan was to begin test IPv6 on the AnyConnect VPN clients (once I was happy the ASA was working fine with IPv6).
When I initially enabled IPv6 everything continued to work as before, however I had to reboot the ASA today and after it all came back up authorisation stopped working. I did a bit of troubleshooting and the ASA is complaining of not being able to resolve the addresses of the two LDAP servers. From the CLI I can ping the hostnames and the LDAP servers resolve to IPv6 addresses and the RADIUS servers resolve to IPv4 addresses. When I issue the command 'show aaa-server LDAP' (LDAP is the name of the group) I see the servers listed but the address displays 0.0.0.0:
Prior to the reboot both the LDAP servers were showing thier addresses (IPv4) correctly. I can workaround it by disabling IPv6 on the ASA, letting it lookup the (IPv4) addresses of the LDAP servers (so they appear in the 'Server Address:' field above) and then re-enabling IPv6. Strangely deleting and re-adding the servers just with their IPv4 addresses also fails but I haven't fully tested this. I don't know but I think I would have the same behaviour if the RADIUS servers also had AAAA records.
I assume when IPv6 is enabled on the ASA it will perform AAAA lookups as well as A lookups but the LDAP client cannot use IPv6? Just guessing at the moment as I haven't managed to get a LAN capture. [code]
I have a little problem. My customer is using TACP-PLUS ALPHA (F4.0.3.alpha.v9). Well, the same user than have access to another Cisco equipment, with user test1 by sample, can configure anything in the equipment. But in the nexus 5000, el command "show user-account" indicate just the "network-operator" role. Well, I patch this situation with the next commands:
aaa authorization config-commands default group TACSERVER local
aaa authorization commands default group TACSERVER local
Well, when I do a telnet into the nexus, I can shut the interfaces, config and anything. But, when I ingress by console, I can not to configure the interfaces.I understand that the Nexus 5000 the Tacacs configuration is global for VTY and Console (different in the Cisco equipment Routers by sample).
I have been tasked with migrating from ACS 4 to ACS 5.3. I havent had any training and so i am finding it a bit different. Currently i have this issue -
I have a group in the ACS 4 for users accessing via wireless on the ACS - Code...
is there a way to have multiple instances of user custom attributes and insert those as multiple instances of the A/V Pair in the authorisation profile in ACS 5.2/5.3 ?Background: We have to migrate a ACS 4.2 to 5.3. In ACS 4.2 our client used the multiline attribute
Number
#Name
#Description
#Type of Value
#Inbound/Outbound
[code]....
to specify multiple routes to various networks in the RADIUS reply spcific for every single PPP username of routers dialing in.Using the internal user database, extended by a string attribute and using that attribute as source of a dynamic value in the access-policy works basically. But as I have only ONE single line instance of the attribute for every user, I can only return ONE framed-route.We have lots of cases where multiple routes have to be assigned to one router.I 'd like to avoid defining a seperate access profile for every remote RAS router for external PPP Dial-In...[URL]
I have a ACS 5.1, My mailing server does not run on standard port number of smtp (25). Need to know if i can customize the port number suiting my mailing server requirement.
View 0 Replies View RelatedI am working for an Air Force client and am adding a handful of 5548s into their network. My question is how Tacacs+ is configured. My hands are tied in regards to testing in an operational environment so I want to ensure the configs are correct prior to deployment/maintenance window and avoid any remote issues.
I have read the "Cisco Press - TACACS+" config guide and it was somewhat vague in regards to operational deployment.
My basic NX-OS configs are as follows:
- feature tacacs+- tacacs-server key 7 "002A52xxxxxxxxxxxxxxxx8"- tacacs-server host 128.xx.xx.xx timeout 10- tacacs-server host 128.xx.xx.xx timeout 10- tacacs-server directed-request
When I try to set the following command string, aaa authentication login default group tacacs+ local, the NX-OS asks me the input a "server group name". There are no server groups configured. Do I need them? Can I get by without configuring a group name because the client probably will not.
The Cisco IOS devices are configured with normal aaa authentication/authorization parameters. Also, do the VTY ports default to sshv2 and the correct tacacs+ parameters with the "transport input ssh" command (not available)?
I have Nexus 7K installations in 2 locations. Both of them have multiple VDCs. In default VDC there are continous tacacs error message though tacacs is not configured. The requests are from various public IPs where thsi VDC is not exposed to Internet at all. What would be t he cause of it?
%AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user root from 195.2.219.2
2012 Dec 11 16:25:28 IDC-FBDTB-AMR2-CN7K-01 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user nagios from 67.78.206.226
- sshd[25797]
2012 Dec 11 16:25:34 IDC-FBDTB-AMR2-CN7K-01 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user nagios from 67.78.206.226
- sshd[25799]
[code]....
I have a Cisco ASA (8.2) setup with remote access for my users using Cisco VPN client. The authentication is passed off to my ACS 5.3 which then checks with AD. What I've done so far is create Access Policy rule where I define specifically the Location and NDG where the ASA is and then a DenyAllCommands command set. This should pass authentications just fine but this also gives those users the ability to remote connect directly into the ASA and login successfully. Even though there is a Deny Commands there I still would prefer they get Access Denied as a message. If I do a Deny Access on the ShellProfile then this stops the login authentication altogether.
View 2 Replies View RelatedI think i've got everything set up to authenticate against AD for Tacacs+ device logins. When i check the logs, i see:"24408 User authentication against Active Directory failed since user has entered the wrong password". This leads me to believe that it is checking AD correctly, however if i enter the password correctly for the same AD user, there is no log at all...no pass, no fail.
If i look at the Tacacs debugs on the switch, i see the following:May 25 10:55:07.927 CDT: TAC+: ver=192 id=874699084 received AUTHEN status = ERRORMay 25 10:55:09.932 CDT: TAC+: send abort reason=Unknown
Obviously the switch is communicating to ACS, and ACS is passing info back to the switch. ACS also appears to be communicating effectively with AD since it knows when i put in an incorrect password for the specific user.