Cisco AAA/Identity/Nac :: Catalyst 3750 - TACACS Authentication Stopped Working

Jul 25, 2011

We have a Catalyst 3750 switch that failed over to local login after the Tacacs authentication stopped working. I went through the configuration settings and everything appears to be identical to another switch in this same building.

View 4 Replies


ADVERTISEMENT

Cisco AAA/Identity/Nac :: TACACS Authentication Working Via SSH But Not HTTP (ACS 5.1 / 3560)

Aug 26, 2010

My switches are able to successfully authenticate user access against ACS 5.1 via SSH with TACACS+, but I am not able to authenticate via HTTPS with TACACS+.  I don't even get a log in ACS when attempting to authenticate via HTTPS.
 
Here is my AAA config, followed by a debug:
 
aaa new-modelaaa authentication login ACCESS group tacacs+ localaaa authorization consoleaaa authorization config-commandsaaa authorization exec ACCESS group tacacs+ aaa authorization commands 1 Priv1 group tacacs+ none

[Code]......

View 8 Replies View Related

Cisco Switching/Routing :: Catalyst 3750 With Tacacs And Vrf

May 13, 2012

There is a requirement to configure tacacs and radius on catalyst 3750X (version 15.0) where two vrf exist.Is therer a solution to configure "tacacs-server,host x.x.x.x vrf yyy" ?? I know it is possible to configure under the "aaa group server radius xxx" the command "ip vrf forwarding yyy".Is there anything else for the tacacs-server and radius-server command?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 And TACACS + Authentication From VPN?

Mar 4, 2012

I have a Cisco ASA (8.2) setup with remote access for my users using Cisco VPN client. The authentication is passed off to my ACS 5.3 which then checks with AD. What I've done so far is create Access Policy rule where I define specifically the Location and NDG where the ASA is and then a DenyAllCommands command set. This should pass authentications just fine but this also gives those users the ability to remote connect directly into the ASA and login successfully. Even though there is a Deny Commands there I still would prefer they get Access Denied as a message. If I do a Deny Access on the ShellProfile then this stops the login authentication altogether.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: NCS TACACS+ With ACS 4.2 - Authentication / Authorization?

Sep 13, 2011

I tried to configure TACACS+ authentication / authorization for NCS via ACS 4.2. For that I followed the configuration guide:
 
1. Configured the service for NCS with HTTP (see attachment)
 
2. Added the tasks to the user (see attachment)
  
When I try to login on the NCS it fails, in the logs on the NCS I see the following lines:
 
09/14/11 16:53:03.333 TRACE [system] [http-443-7] [TACACS+ AAAModule] Creating authorization socket   - To Server:  192.168.49.14  - For User:  netadmin
09/14/11 16:53:03.335 TRACE [system] [http-443-7] [TACACS+ AAAModule] Sending authorization request packet  - To Server:  192.168.49.14  - For User:  netadmin
09/14/11 16:53:03.336 TRACE [system] [http-443-7] [TACACS+ AAAModule] Receiving authorization response packet  - From Server:  192.168.49.14  - For User:  netadmin

[code].....

View 7 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 TACACS+ And Two Factor Authentication?

May 1, 2013

I want to setup two factor authentication via ACS 5.2 TACACS+ without having to use a token (such as that by RSA).  Is there a way to do it?
 
More info:
 
Users from unconnected AD domains will be connecting to the routers and switches.There is a certificate server available to generate certificates.SSHv2 is the current login protocol.

View 5 Replies View Related

Cisco AAA/Identity/Nac :: ASA5545 - Allow Tacacs Authentication

May 14, 2013

I am trying to access an ASA 5545 using TACACS+.  I have the ASA configured as follows:

aaa-server tacacs+ protocol tacacs+
aaa-server tacacs+ (inside) host 10.x.x.x
[code]....
 
I have added the ASA in ACS with the correct IP and the correct key. When I try to test the authentication via test aaa-server authentication tacacs+ host 10.x.x.x username Cisco password Cisco, I get:
 
ERROR: Authentication Server not responding: No error.

View 20 Replies View Related

Cisco AAA/Identity/Nac :: Setting Up ACS 5.2 TACACS Authentication With JUNOS?

Aug 6, 2012

I have ACS 5.2 and JUNOS 10.6.x  I setup 2  classes eng-class and ops-class  with read/write and read-only permission here is my configuration on JUNOS
 
set system login class eng-class idle-timeout 15
set system login class eng-class permissions all
set system login user engineer full-name “Regional-Engineering”
set system login user engineer uid 2001
set system login user engineer class eng-class
set system login user engineer authentication plain-text-password xxxxxxx

[code]....
 
I have 2 separate Authorization policies for engineer and operator group.Result,

1.  engineering group is working fine.

2.  the operator group its not working im unable to login to device under this group "authentication failed" but on the ACS logs its successfully authenticated.

3.  Web authentication is not also working for bot group.

View 14 Replies View Related

Cisco AAA/Identity/Nac :: W2003 / ACS Tacacs Authentication Failed

Jun 27, 2012

we have a ACS server V4 installed on W2003 server ,when we make a telnet to an equipement on the wan the authentication pass on the first connexion ,but when we telent to a switch on the lan the first connxion fails and we need to retry to login .when i check the  field attempt log on the ACS i dont find the field attempt.i find this issue in ALL switch on the LAN ,from the switch i can ping the the ACS server .this problem appear frequently?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Juniper JWEB Authentication Via TACACS To ACS 5.1?

Dec 20, 2009

Having an issue with authenticating Juniper J Series and SRX devices with ACS 5.1 The devices can authenticate using TACACS to ACS 5.1 via the CLI (telnet / ssh connections) but cannot using the JWEB management page.Doing packet captures between the Juniper devices and the ACS 5.1 box shows the Authenticate phase passing, but it does not progress onto the Authorisation phase.  There is nothing of interest in the ACS Logs (Even with the debugging levels turned right up) The same Access service is in use for both the CLI and GUI (JWEB).Using ACS 4.1, both CLI and JWEB authentication works.[URL]I'm thinking the issue is with ACS 5.0 / 5.1 and it maybe not liking the response from the Juniper (even though it should be the same mechanism)

View 6 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Authentication Against Microsoft AD / TACACS Authorization

Feb 2, 2013

I am trying to configure ACS 5.2 to do all authentication against Microsoft AD, but use local identity groups to determine TACACS+ authorization. 

View 1 Replies View Related

Cisco AAA/Identity/Nac :: How To Configure User Authentication Via TACACS On UCS 1.4 With ACS 5.2

Aug 18, 2011

how do i configure user authentication via TACACS on UCS 1.4 with ACS 5.2?  My TACACs connection works, and my user authentication is successful, but i can only get read-only rights.  I have tried several versions of "cisco-av-pair= role=admin" both as mandatory attributes named role and as cisco-av-pair=role , with "admin" as the value, and i still get read-only.
 
When i attempt to find any documentation, it only describes ACS 4.2, which is another problem i have with most documentation for new cisco products (i have this exact issue with my NAMs, nothing i do to change the attributes results in successfully logging into the NAM, and all config guides are written in 4.2 speak).
 
is there any possiblity cisco is going to release some documentation on how to convert 4.2 speak to 5.2 speak?

View 8 Replies View Related

Cisco AAA/Identity/Nac :: Configuring WLC 4402 TACACS+ Authentication Using ACS 5.0

Aug 22, 2009

We added AAA client in the Cisco ACS 5.0 for WLC 4402 (TACACS+ Authentication) and configured WLC 4402 to use TACACS+ authentication for the management access. We can't get this work for some reasons.
 
Other Cisco routers and switches all worked fine with TACACS+ authentication. This is a TACACS debug output from the WLC;
 
Sun Aug 23 16:19:06 2009: tplus response: type=1 seq_no=2 session_id=f59bbf0b length=15 encrypted=0
Sun Aug 23 16:19:06 2009: TPLUS_AUTHEN_STATUS_GETPASS

[Code].....

View 24 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 Failing To Authenticate Tacacs Authentication To ASA Firewall?

Jan 5, 2012

ACS 5.1 is failing to authenticate tacacs authentication to the ASA firewall, getting

View 6 Replies View Related

Cisco AAA/Identity/Nac :: 6506-9 / TACACS+ Server Authentication Failed

Mar 15, 2010

I've been configured my device 6506-9 with TACACS+ server authentication: [code]
 
but when I tried to access the device only uses authentication local but not uses TACACs (with username/password defined) it can be an error in configuration? in the other devices of network this works properly, only it's wrong in Cat6506-E

View 6 Replies View Related

AAA/Identity/Nac :: ACS 5.4 - TACACS Authentication - Drop Straight Into Enable Mode?

Dec 5, 2012

I successfully authenticate through ACS to my Identity Store, but only get dropped into a non-enable prompt: ciscoasa> How can I get an Authenticated user directly into enable mode?

View 3 Replies View Related

Cisco AAA/Identity/Nac :: Nexus 5010 Allows TACACS And Local Authentication Concurrently

Jun 6, 2011

I am experiencing an issue where NX-OS on our 5010s is allowing both Local AND TACACS authentication concurrently.  If I don't configure any aaa authorization commands, the locally logged in user has unmitigated access to the device.  Once I enable aaa authroization, all commands issued by the locally logged in user are denied by ACS, but they can still log in to the device.  When I comb through the logs on the ACS server, I see successful logins when TACACS credentials are used, and also the failed attempts when the locally configured credentials are used.  On the switch, however, I receive "%TACACS-3-TACACS_ERROR_MESSAGE:  All servers failed to respond" when using locally configured credentials on the switch itself.  We are running ACS v4.2.

View 6 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 Has Stopped Authentication Logs After Reboot?

Dec 28, 2011

I have saved the running configuration to startup first and rebooted the ACS 5.1. Since then it has stopped Authentication logs, though I can login to the network devices using Tacacs login, but I am not getting Tacacs authentication logs ?

View 3 Replies View Related

Cisco AAA/Identity/Nac :: C4948-10G / Tacacs+ Not Working On VRF Interface?

Feb 3, 2013

C4948-10G switch running IOS 15.0(2)SG ?ACS 4.2 cannot authenticate on the vrf interface. The issue on vrf aaa authentication.
 
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login no_tacacs local
aaa authentication enable default group tacacs+ enable

[code]....

View 13 Replies View Related

Cisco Security :: Catalyst 3750 / Uploading Image Into Web-authentication Page?

Dec 21, 2009

i tried to create a customized web-authentication page that will re-direct any user to the web-page once they are connected to the network.
 
The problem is, i just cant attach/upload the image of the logo into the customized web-page (welcome/login page).Been researching about it, found and tried some clue bout it on cisco documentation, but still can't solve the problem.
 
Cisco document :Catalyst 3750 Switch Software Configuration GuideCisco IOS Release 12.2(52)SESeptember 2009
 
switch version :WS-C3750-48TS
 show flash :2 -rwx 12305677 Mar 1 1993 01:27:03 +00:00 c3750-ipservicesk9-mz.122-52.SE.bin3 -rwx 131 Mar 1 1993 00:17:25 +00:00 log.text5 -rwx 3254 Mar 1 1993 00:01:01 +00:00 config.old8 -rwx 113 Mar 1 1993 03:24:33 +00:00 pass.htm9 -rwx 1088 Mar 1 1993 03:39:18 +00:00 login.htm10 -rwx 113 Mar 1 1993 03:21:30 +00:00 fail.htm11 -rwx 104 Mar 1 1993 03:25:32 +00:00 expire.htm12 -rwx 856 Mar 1 1993 00:05:19 +00:00 vlan.dat14 -rwx 2479 Mar 1 1993 01:25:05 +00:00 web_auth_logo.jpg16 -rwx 1048 Mar 1 1993 00:01:01 +00:00 multiple-fs27 -rwx 1053 Mar 1 1993 02:18:34 +00:00 webauthpage.html38 -rwx 6551 Mar 1 1993 01:19:33 +00:00 logotest.html
 
following is my running configuration :Building configuration...
 
Current configuration : 4205 bytes!version 12.2no service padservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname Switch!boot-start-markerboot-end-marker!!!!aaa new-model!!aaa authentication login default group radiusaaa authentication login line-console noneaaa authentication dot1x default group radiusaaa authorization auth-proxy default group radius!!!aaa session-id commonswitch 1 provision ws-c3750-48tssystem mtu routing 1500authentication mac-move permitip subnet-zeroip

[code]....

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Configuring 802.1x Authentication On ACS 5.1.0.44 / Catalyst 2960S Switches?

Mar 22, 2012

configuring 802.1x authentication on ACS 5.1.0.44 & Catalyst 2960S switches.All the documents i have found seem to have incorrect screen shots or missing steps.I have found a doc external to Cisco [URL]however this just hangs when attempting to complete the task in figure G.The other docs are for configuring IBNS & assume that 802.1x is already configured.

View 1 Replies View Related

AAA/Identity/Nac :: ACS 5.3 - HTTPS Access Stopped Working?

Feb 25, 2013

For some reason i can't get access anymore to the web interface of our ACS 5.3 appliance.Where i used to get a certificate warning first, and after that the ACS5 login screen, i now get totally no response anymore in my IE browser.
 
I can telnet to port 443 of the unit however.  And i (fortunately) still have ssh access to the unit.  So i did a reload (microsoft habits) but that did'nt solve anything.https access to other systems from the same browser is functioning fine
 
=================================
admin# sh ver
Cisco Application Deployment Engine OS Release: 1.2ADE-OS Build Version: 1.2.0.228ADE-OS System Architecture: i386
Copyright (c) 2005-2009 by Cisco Systems, Inc.All rights reserved.Hostname: <deleted>
Version information of installed applications---------------------------------------------
Cisco ACS VERSION INFORMATION-----------------------------Version : 5.3.0.40.8Internal Build ID : B.839Patches :5-3-0-40-55-3-0-40-8
=================================

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS Version 5.2.0.26 View Backup Stopped Working From GUI?

Jul 27, 2011

We have an issue with View db (Monitoring & Reports) backup on ACS, version 5.2.0.26. We have scheduled incremental backup daily and full backup monthly. Everything has been working well, but since yesterday following errors have appeared, and full and incremental backup stopped working:

Alarm Name
System Alarm [Incremental Backup]
Cause/Trigger
On-demand Full Backup failed
Alarm Details
CARS_BR_BACKUP_CREATE : -405 : Internal error: couldn't create backup file
Alarm Name

[code]....

We use same repository as always. Backup to the same repository works from CLI.

View 2 Replies View Related

AAA/Identity/Nac :: Authentication Login On Switch 3750 E

Mar 29, 2011

I would like to make a centralized management of loggin account on my cisco switch (with a radius server). But, on Cisco 3750 E, i use 12.2(44) SE1 IOS and no command aaa authentication login exist.
 
Cisco 3750 can support other IOS than 12.2 who have this ability ?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: 3750 - IP HTTP Server (with No Authentication)

Dec 29, 2011

I have a customer who used to own a 3750 with a older version of IOS. The switch he had used a three year old version of IOS which allowed him to browse to the switch IP and manage it via HTTP without entering a password at all. Now that he has a replacement switch with a new ver of IOS (since the previous switch died). We slapped the config on from the old switch but no matter what we do (understanding that new http aaa authentication commands were added) we cant get this thing to let him in without prompting him for a password. I understand this was an insecure config to begin with so I shouldn't be advocating using it in the first place, but this is what the customer wants.Basically what I'm trying to figure out is are we banging our heads into the wall for nothing as the "ip http server" will not allow an authentication method of "none" anyway? None of the offical documentation I have read for the http aaa authentication cmds shows this as an example nor have I found any blog posts on how to do it ether. Perhaps Cisco removed this by design.

Here is the config: 
 
aaa new model
aaa authentication login default local
aaa authentication enable default none
aaa authentication login none none
 ip http server
ip http authentication aaa login-authentication none

[code]....

View 1 Replies View Related

Cisco AAA/Identity/Nac :: 3750 AAA Authentication Banners And Banner Logins

Aug 10, 2009

I'm experiencing some problems with AAA authentication banners and banner logins.I'm trying to use spaces and empty lines, but when login, all the lines are after each other, no empty lines, no spaces.The problem appears on a 3750 with IOS version  12.2(5)SE2.

View 5 Replies View Related

Cisco AAA/Identity/Nac :: Assign QoS Service Policy Via RADIUS To Catalyst 45k / 3750?

May 4, 2011

is there a way to assigen a QoS service policy via Radius to an Caltalyst 4500/3750 Switchport?
 
in detail, we would like to assign this policy
 
policy-map SET_EF     class class-default       set dscp ef
 
to an interface. All traffic should be marked with a defined DSCP value.
 
This works find when doing it statically with
 
interface FastEthernet2/1         service-policy input SET_EF
 
but we would need to assign such a policy via Radius during the 802.1x Authentication. different users should get differnt policies. We use Cisco ACS 5.2 as Radius Server and there actually is a field for that in the Authorization Profile Common Tasks Configuration. in detail, this uses the cisco-av-pair "sub-policy-In=<policy name>" attribute to assign a service policy to an NAS.
 
we found also two other attributes "sub-qos-policy-in" and "ip:sub-qos-polcy-in" for that. CCO says that "ip:sub-qos-polcy-in" works with Catalyst 65k [URL]
 
unfortunately this seems to not work on Catalyst 45k and 37k.
 
In the ACS Logs we can see that these attributes are attached to the Radius Reply, but unfortunately they are ignored by the switch.
 
it is interesing that when entering "show aaa attributes" on the Catalyst 45k, these attributes are displayd - so for my understanding the switch should understand these attibutes (?)
 
4503-E#sh aaa attributes         AAA ATTRIBUTE LIST:        Type=1     Name=disc-cause-ext                 Format=Enum        Type=2     Name=Acct-Status-Type               Format=Enum

[Code]......

View 1 Replies View Related

Cisco AAA/Identity/Nac :: 3750 / Get RADIUS Setup For Authentication To Switches And Routers?

Sep 19, 2012

We are setting up a new office and I am trying to get RADIUS setup for authentication to my switches and routers.  Currently I am working on a 3750 running IOS 15 and getting hung on what I think on something small.  I have attached my Microsoft NPS Network Policy.  Below is my IOS config:
 
aaa group server radius corp-radius
server 10.15.10.20 auth-port 1812 acct-port 1813
!
aaa authentication login default group corp-radius local
aaa authentication login radius-localfallback group corp-radius enable
aaa authorization exec default group radius

[code]....

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Re-authentication Not Working?

Aug 17, 2011

I have a dot1x client with client certificate working well with my ACS 5.2 and EAP-TLS. Now I would like to configure the Re-Auth periode on the ACS 5.2, I did the following:
 
1. Configure a Access Profile with Reauthentication Timer = static and 30 seconds (see attachment ACS1.png and ACS2.png)
 
2. Enabled authentication periodic and authentication timer reauthenticate server on switchport
 
interface GigabitEthernet1/0/x
description to dot1x clients
switchport access vlan 5
switchport mode access
authentication event fail action authorize vlan 998

[code]....

View 2 Replies View Related

Cisco Switching/Routing :: Traffic Policy Is Not Working On Catalyst 3750?

Jan 28, 2013

Unable to limit traffic on catalyst 3750 gigabit ports it has fiber modules,
 
I want to limit traffic 2mb per port
 
I have tried srr-queue and policier but it is not working and there is no ratelimit command under any interface, Applying policy to output is not supported of the interface
 
policy-map rate-limit
class class-default
police 2000000 8000 exceed-action drop
int gi1/0/3
service-policy input rate-limit 
 
still when I start download it goes to 10 mbps

View 12 Replies View Related

Cisco AAA/Identity/Nac :: 2960 - Central Web Authentication With Switch Not Working

Mar 27, 2012

on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working.
 
I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
 
The interface configuration looks like this:
interface FastEthernet0/24
switchport access vlan 6
switchport mode access
switchport voice vlan 20
ip access-group webauth in(code)

View 12 Replies View Related

Cisco VPN :: Clinet Tacacs+ Authentication On ASA5510?

Mar 25, 2011

How to be able to locate a sample, working configuration of tacacs+ authentication on the ASA5510?

View 2 Replies View Related

Cisco :: CiscoWorks LMS 3.2 With TACACS Role Authentication?

Jan 4, 2011

I'm trying to get user authentication backed off to ACS 5.1, I've got it working but not the way I'd like.  This is using the TACACS settings not ACS mode.I've created a local user in CW and assigned it to the correct roles, then created a user in ACS with the same name and a different password and this works fine.My question is can I set the roles on the TACACS server using a shell profile/custom attributes.  All the documentation I can find is for ACS v4?

View 15 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved