Cisco AAA/Identity/Nac :: ACS 5.2 / Switch Administration Using SSH?
Dec 19, 2011
I want to use LDAP accounts to administrate switches.It works fine when I use telnet. I just need to push RADIUS attribute Login-Service (ID 15) with Telnet value (ID 0) Now, I want to use SSH (for security reasons )RADIUS have to push RADIUS attribute Login-Service (ID 15) with SSH value (ID 50)(For example with Steel-belt RADIUS [URL] SSH value doesn't exist in RADIUS IETF dictionary for Login-Service attribute.I can't create SSH value because this dictionary is protected...
I have just reimaged one of my ACS appliances as it was completely corrupted.Now I have done this I have connected it to the network via DHCP so I can patch it from v4.2 to the latest version.The machines is now on the same VLAN as my workstation. When I try to login I get the message
"This machine cannot be used for administration"
The box is a vanilla install with only the passwords set on the machine - my workstation has its local firewall turned off and is not using a proxy server. as I can't log into the gui I can't change any settings there?
I'm having problems settting up a Guest NAC server to authenticate administrative users against a ACS 5.x server. In the ACS RADIUS Authentication log, I can see the user authentication is successful.In the AAA Diagnostics log, I can see the following warning:An Access-Request MUST contain either a NAS-IP-Address or a NAS-Identifier or both; Continue processing.
I'm trying to configure ACS 5.1 as radius server for a catalyst switch but i can't make it work.I keep on getting the "11033 Selected Service type is not Network Access" error message.
Tacacs works fine but radius does not. Any sample device administration config to use with RADIUS?it seem the service type does not work with radius in this scenario ( radius + device admin).
Under 'Policy Elements/Authorization and Permissions/Network Access/Authorization profiles' I have defined a profile and the following Attribute:Attribute = F5-LTM-User-RoleType = Unsigned Integer 32Value = 300.
My question is:How can I define the same as above using 'Device Administration/Shell Profiles' ?
There is a Custom Attributes tab but I cannot figure out how to specify the 'Type' field. (Under Custom Attributes tab there is only space for 2 fields and not 3 fields).
my config : one DAP-1522 as an AP + one DAP-1522 as a switch, 6 meters between them, signal strength about 70. Any others wifi networks around my house. both with FW140b03.bin dated 01/14/2011.Most of the time, both work correctly. But time to time, the wifi link is ko. In AP status, the switch is mentionned connected (uptime = 3 hours ...). The red led is blinking on the switch. The administration web of the switch is not available and the link is ko. Unplug and plug power units doesn't fix the problem. I need to reset DAPs.From Dlink experts, i would like to get more description about issues :
- in switch mode, which are the events modifying the red led state ? what does blinking / off led mean ?
- in AP mode, what does "uptime ...STA ...." mean ? frames are periodically received from STA ?
We have a rack with a Cisco Catalyst 3750 that is networked with other racks in the data center and uses bandwidth from the data center co-location (which is also an ISP). We had a need to install a Comcast Business Class modem in this rack and want to be able to manage this modem remotely. What I have done so far is.
we are using Cisco RV042 router with i guess V3 hardware version, latest driver version (4.2.1.02). We changed the username and password from admin, default, to another name and password. Since then, we are able to log in only once, once the router is restarted. If we leave the page, logout or after several hours after boot, we wont be able to log to web administration again. We enter username, password, submit, the image keeps spinning, but nothing happens.
I have an AP(Cisco Lynksis Wireless G WAP54G) with one port (LAN) on the back, i have tried several time accessing the administration page but in vain. I reseted the AP (holding the reset button within 10 secondes) and try again to access through my internet brower but still having the same issue on accessing the admin page. The main target is to access the admin page and configure settings in order to amplify my signal in some offices away.
RV220W is at firmware v1.0.2.4 From: Administration / Management Interface / Web Accesss I have configured remote Management: Remote Management [x] EnabledAccess Type: All IP addressesPort Number: 8888Remote SNTP [ ] not enabled
From within the LAN side I can connect to the router and administer via https://192.168.3.97:8888
Status / System Summary reports:WAN (Internet) Information (IP4) Connection Type: Static Connection State: Connected IP Address: 207.180.139.242 NAT: Enabled But from the WAN side (using the same Win7 computer) I cannot connect via: https://207.180.139.242:8888
This used to work. Also not working: PPTP logins. ISP is RCN via cable modem, fixed IPs.
Have tried power cycling router - no luck. Have tried from PC with AV off and Win7 firewall off
I have the router configured for remote admin from the web outside the network however I cannot establish a connection with the router.Other than adding the check mark and selecting a port are there any other considerations for remote admin?
Region : Australia Model : TL-MR3420 Hardware Version : Not Clear Firmware Version : ISP : Telstra
Is remote administration over 3G connection possible? The telstra public IP is not pingable. (from externally) Goes no where when I put the public IP into a browser. (from externally) Any settings changes to enable this?
First time user of cisco hardware and we just purchased the 4900m catalyst switch. My question is very general. I am simply hoping to network 3 servers together and I do not wish to do any fancy or advanced configuration. Can I simply use the web management interface for network administration and setup? I just downloaded the Catalyst 4500 Series Switch Cisco IOS software configuration guide and they talk about Cisco View network management system, is this my answer or is this what most people use for basic configuration and administration?
We have recently upgraded the software on our two WLC 4404 from software release 4.0.xxx to 4.2.xxx to 6.1.199.4 and lastly to version 7.0.98.0.
We could access the WLC's GUI's using https when it was on version 4.0.xxx. When we did the upgrades from version 4.2.xxx to 6.1.199.4 we couldn't access the Admin page through https anymore but only through normal http. We enabled https through the GUI and through the CLI and we did do the re-generation certificate , without any success. We then upgraded to version 7.0.98.0 and we still have the same result , cannot access Admin GUI through https.
i just want to administor cisco ASA5520 and cisco router mpls 1900 can some tell me as admin what to check as u get into office /reguraly in cisco asa 5520 and vpn mpls router for administrator ,right now its working as configured by supplier for remote sites to connect HQ and access several server,My interest to know what are the basic day to day checkup on cisco asa5520 working as ips and cisco asa 5520 working as content filtering and cisco vpn mpls
Sometimes, when I access my router's (Linksys WRT54G) web administration page, it comes out garbled; i.e. missing text, icons, links, form controls, etc.
Gets fixed after powering the router off then on again.
I recently updated my firmware in my WRV210 router to Version 2.0.1.5 which is the most recent on Cisco's download page. After upgrading the firmware, I found that some of the administration pages do not appear to load correctly in internet explorer version 9.0.5. For example, the ADMINISTRATION -> MANAGEMENT page has data but to see the data, I have to scroll down about 3 pages. All five entries under STATUS do not have any data visible at all which is typical for most of the other administration pages. An image of the Status Router page is inserted below. I have logged in to the administration pages with an old version of Firefox 3.0.14 and the pages are visible. The operating system that I am running is Windows 7 64bit.
I haven't run across any other entries like on this or other sites.
I' have realy big layer two access network made of etherogenius Cisco switch with different IOS version and train.My customer bought ISE (ADVANCED AND BASE LICENSE).As far I read on DS it is seem that if you have Minimum IOS release 12.2(52) SE you are able to perform COA, reading DS with more attention I notice that cisco raccomend IOS versione 12.2(55)SE3 why ? does it means COA does not work with 12.2(52)SE,I need a minimum IOS release to perform 802.1x on my wired network ?
I am writting in response to MAB issue which I noticed a few days ago and I am still not able to undestand what exactly happend. First of all I would like to say that I configured MAB authentication and according to the MAC the ISE configure a VLAN. All worked well: the test computer can change VLAN based on its MAC. The problem appear when I cut the connection to ISE server. Accourding to configuration the switch authorize the new device to VLAN 11 (critical VLAN) That is fine ! When the ISE server is up again I had a configuration which should reauthorize all ports assign in critical VLAN. But why that is not happend ??? It looks as the switch didn't notice that the RADIUS (ISE) was up and working again. [code]
I have Some Alcatel Switch and I want to use ACS 5.2's tacscs+ for Alcatel Switch admin authentication.the Failure Reason:13011 Invalid TACACS+ request packet - possibly mismatched Shared SecretsBut I was check the share secret is correct.Before I was tried associated ACS with vision 4.2 is work.
I am testing a ACS 5.2 in our lab environment, I am testing port security for policy based VLAN and ACL assignment. The problem I am having is with the 2960S switches; in my current setup it is working but it doesn't seem to me like it is the way that it should be working. I have a downloadable ACL in the ACS defined and associated to an Access policy and it is working correctly. The problem is, from what I understand, I have to assign a default ACL on the switchport? So what I have assigned on the switchport is ip access-group 10 in. The downloadable ACL from the ACS is also called 10. Do I really need to match the ACL on the switchport with the ACL name I have created in ACS? That doesn't seem like it's dynamic if that is the case? What is the ACL that I should apply to the switch port (if any) in order for the downloadable acls that I configure in the ACS to work no matter what port the user is patched into?
I'm unable to login Switch.......getting following error...I have tried this commands on other 3560 that worked...when I enter user name & password re logging authentication failed error occurs .........This is remote site Switch.
I am having the Cisco NAC enviroment (Software Version is 4.9.1) and OOB VG.
We are getting the below and attached Error while deploying on some machines.
"Invalid switch configuration-OOB Error:OOB client "mac/ip" not found."
Some users on same switches are working fine but some are not....
What would be the possibilities and any work around? other than keeping the port shudown for long time means that atleast 10 - 20 secs or more or a PC restart. Customer is not feeling comfortable with the current situation.
I've recently been looking into linking in our Cisco 2960S Gb Switch with RSA SecureID via Radius.I've already managed to link it in for ssh access
but I've not managed to get it working for http / web access to the switchI think this is because we're using "single use" tokens for maximum security with RSA Secure-ID and the web interface attempts to authenticate multiple times against the Radius part of the RSA SecureID server (okay on the first authentication, but each time after it's going to want a different token code)
(if there's a way to get the switch to just authenticate once instead of multiple times against the radius server) For info the switch is a WS-C2960S-24TS-L with IOS 15.0(1)SE2
The table referenced in the new 1.1 ISE guide show 12.2(33)SXI6 is the minimum version for support. Does this mean this version or above? Does ISE is tested in newer SXJ streams? We have a massive rollout of SUP720s to do and need to know the most stable version to load in preparation for ISE.
I would like to make a centralized management of loggin account on my cisco switch (with a radius server). But, on Cisco 3750 E, i use 12.2(44) SE1 IOS and no command aaa authentication login exist.
Cisco 3750 can support other IOS than 12.2 who have this ability ?
Have you ever found the problem that if I set two tacacs server in my N7K and the primary tacacs server fail, won't switch over to another tacacs server.
I can authenticate between our MDS 9216i switch and RSA radius server but my role does not come across. The logged in user is a network-operator not admin. In the AV Pair i have defined shell:role*network-admin but it doesnt seem to come across
First, my configuration, (then the problem down below):
I have an Aironet 1142 with multiple SSIDs [mapped to V LANs] connected to Gi1/0/2 on a 2960 switch in a user-accessible area. This switch is up linked to another 2960 switch in a wiring closet, and the Microsoft NPS server is connected to the wiring closet 2960. Aironet -- 2960 [user area] --- 2960 [closet] -- NPS RADIUS
I have the user-area 2960 configured as an authenticator switch for dot1x, and port Gi1/0/2 is authenticating the Aironet via MAB to RADIUS. RADIUS is sending VSA device-traffic-class=switch to the 2960. The closet-2960 has no special 802.1x configuration, nor is it an authenticator switch; it just has a manually-configured trunk port to the user-area 2960 [for now; I'm trying to take this one step at a time!].
The user-area 2960 correctly converts port Gi1/0/1 to a trunk port when the Aironet is authenticated [via MAB]. The Aironet boots up, the port is opened, I can ping the Aironet on the native V LAN, and all is well [so it seems]. The Aironet dot11Radio is configured for two SSIDs and mapped to V LANs, which are being spanned via STP thru the user-area 2960 and the closet-2960. STP is correct and verified on all switches.
I have DHCP snooping configured on the user-area 2960 but only for V LAN 1 [but NOT the wireless user V LANs], the trunk port to the closet 2960 is a trusted port. Hosts on the wired ports on the user-area 2960 are able to get DHCP IPs. On the Aironet, "show dot11 associations" shows hosts on the SSIDs are getting DHCP addresses. Again, I am *NOT* running dhcp snooping on wireless SSID V LANs [i read elsewhere that can cause problems as users roam between Aironets].
I do have CISP configured on the user-area 2960. I do not have CISP configured on the closet-2960 [best I can tell, that's not required at this stage, but I could be wrong]. Despite the alleged documentation, I could not get the Aironet to use a dot1x credentials profile to authenticate to NPS/RADIUS as an 802.1x supplicant, which is why I resorted to MAB for this exercise. The Aironet simply would not run dot1x [best I could tell]. The documentation and configuration didn't seem complex, so I was quite confused.
I have upgraded the Aironet to the latest 12.4(25d)JA2 software, and the 2960 is at 12.2(55)SE7 [i saw 12.2(58) has some issues, but I'm willing to be persuaded otherwise, based on sound advice]. Ok, now the problem:
Users on the guest wireless SSID (V lan 20) say they cannot connect. Yep, classic. V LAN 20 is trunk and spanned to all the sufficient places. The Aironet shows users in the associations list for that SSID with IP addresses from the DHCP server! DHCP snooping is not configured on that V LAN. I read another support forum post saying CISP and MAB could cause problems with "disappearing" ARP entries. I appear to have that problem. However, the user on the Staff wireless (V LAN 10) has full access. Am I running into a problem with "multi- host" authentication config? Via tcpdump on my firewall, I see nothing but broadcast and multicast traffic coming from a host on VLAN 20. What puzzles me is how I do see *SOME* traffic from a V LAN 20 host on this SSID, but no uni cast traffic!
Since you're going to ask, here is my port config for this AP on the 2960 authenticator switch in the user-area, and the AAA config pieces:
#sh run br | in ip dhcp ip dhcp snooping vlan 1 no ip dhcp snooping information option ip dhcp snooping database flash:dhcp_snoop.txt ip dhcp snooping [code]......
on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working.
I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
The interface configuration looks like this: interface FastEthernet0/24 switchport access vlan 6 switchport mode access switchport voice vlan 20 ip access-group webauth in(code)
I'm doing some testing with ACS server on my windows box and I can't seem to get a barebone radius authentication to work with ACS internal users. I tested the same configuration with TACACS and it works fine, so there's something missing or misconfigured in my setup.
I have a cisco 3550 switch that I want users to login using their ACS username/password.