Cisco AAA/Identity/Nac :: N5000 Same User In Tacacs / Local Database With Different Privilege
May 15, 2012
i am running NX-OS image n5000-uk9.5.1.3.N1.1.bin on the nexus 5020 platform.i have configured authorization with tacacs+ on ACS server version 5.2 with fall back to switch local database.a user test with priv 15 is craeted on ACS server, password test2 everything works fine, until i create the same username on the local database with privilege 0. ( it doesnt matter if the user in local database was created before user in ACS or after ) e.g.: username test password test1 role priv-0 (note passwords are different for users in both databases)
after i create the same user in local database with privilege 0,if i try to connect to the switch with this username test and password defined on ACS, i get only privilege 0 authorization, regardless, that ACS server is up and it should be primary way to authenticate and authorizate the user.
I have FWSM's in Cat 6513's. I have a need to be able to session from the switch to the FWSM by using default account (not local user), at privilege level 15 I further have a need to allow a user read only access by ssh'n into the FWSM...
I believe I need to setup a local user, at, say privilege level 5, assign the show command only to privilege level 5, then set the authorization command for that user. So, i think my command sets are as follows to accomplish this: username <username> password <pw> priv 5 priv command level 5 mode exec command show aaa auth ssh console LOCAL aaa auth enable console LOCAL aaa authorization command LOCAL
I think, that this will allow the user at privilege 5 to run only the show command and only by SSH to the FWSM while allow the priv 15 level default login to continue to function properly.
Are there any harmful / unwanted impacts of executing resync-database on N5K? That command seems to be undocumented in the regular Nexus documentation but is mentioned here. Because I'm facing a similar issue it seems to be the solution, but I can't find any document mentioning possible impacts of running this command. Anypossible harmful impacts, such as disrupting the traffic flow or messing up the running-config, of running this command?
We are wanting to use local database users to authenticate our SSH connections to our 6500 cores.
We have added the usernames and password into the 6500 using
username anameduser password astrongpassword or username anameduser secret astrongpassword
We where expecting the commands to be the same as other iOS devices example C3750 we would add.
Line vty 0 4 login local
And this would allow us to use the local user database to authenticate our ssh sessions.
The login local commands are not availbe on the 6500s and we have not found any documentation on how to impliment a local database for this purpose except in a CatOS 6500.
I can't seem to enable in ASA with a non-15 privilege level user configured in ACS 4.2 (tacacs).When I enable in IOS device, it enables and "show privilege" shows level 10 as expected. ACS should be configured correctly as it works fine with IOS. User is not set with explicit settings. Group is set with "max enable level" 15 and "shell exec priv level" 15. The enable password is set to the internal ACS PAP password. Works fine in IOS.When I enable in ASA, it fails to enable, and ACS log says "Tacacs+ enable privilege too low". I suspect that ASA tries to enable into level 15 explicitely. If I try to issue "enable 10" command in ASA it says: Enabling to privilege levels is not allowed when configured for AAA authentication. Use 'enable' only. [code]
i configured pix 525 for easy vpn. About 100 to 200 people will use this service. i dont have much knowledge about radius and tacacas servers. Is local data base enough for extended authentication or should i configure the server for it ?
Using a CSV file, I can not add user in the internal database of the ACS I have a permanent "error File Format Validation Failed" However the file I want to import is a really CSV file.
i'm trying to configure acs 5.2 to LDAP external idenity store, when LDAP failes ACS 5.2 should use internal indenity store. I configured A sequence to use LDAP 1st then Internal and i shut off the link to the LDAP but ACS will not use internal, AAA Diagnostics keeps telling me that Cannot establish connection with LDAP server and will not use the internal store.
1. Try to authenticate user in external database1 (radius) 2. When external database1 returns FAIL (because of bad password) ACS5 should try to authenticate user in another external database2 (radius)
Having CSACSE-1113-K9 with ACS 4.2.15.I want to configure windows user database under extrenal user database but i get an error (attached) 'An error has occured while processing the Authen DLL Configure pagebecasue an error occured.I tried to stop the services and start agian but the same issue. The eappliance is secondary (backup) ACS. On the primary it is working fine.
how do i configure user authentication via TACACS on UCS 1.4 with ACS 5.2? My TACACs connection works, and my user authentication is successful, but i can only get read-only rights. I have tried several versions of "cisco-av-pair= role=admin" both as mandatory attributes named role and as cisco-av-pair=role , with "admin" as the value, and i still get read-only.
When i attempt to find any documentation, it only describes ACS 4.2, which is another problem i have with most documentation for new cisco products (i have this exact issue with my NAMs, nothing i do to change the attributes results in successfully logging into the NAM, and all config guides are written in 4.2 speak).
is there any possiblity cisco is going to release some documentation on how to convert 4.2 speak to 5.2 speak?
I have a weird issue. I recently setup an ASA 5510 and had SSH working. To make it easier on my VPN users I then decided I wanted to setup a Windows 2008 Network Policy Server for RADIUS authentication. Ever since I added the RADIUS part to aaa authentication, when I use SSH to connect to the ASA it will not take the local user name and password I have setup. I can however get in using a Domain user name and password. Below is the SSH and AAA configuration. Am I missing something here? The username and password in the ASA is not on the domain and it's like the ASA is not even trying LOCAL when it tries to authenticate. I want it to use the local username and password if possible. I'm kind of new to ASA's..
On another note, I have never been able to SSH in on the internal interface. I always get a "The remote system refused the connection" error message. I can only use the outside interface.
Site-ASA# sh run | in ssh aaa authentication ssh console SERVER_RADIUS LOCAL ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 inside ssh timeout 60
I am experiencing an issue where NX-OS on our 5010s is allowing both Local AND TACACS authentication concurrently. If I don't configure any aaa authorization commands, the locally logged in user has unmitigated access to the device. Once I enable aaa authroization, all commands issued by the locally logged in user are denied by ACS, but they can still log in to the device. When I comb through the logs on the ACS server, I see successful logins when TACACS credentials are used, and also the failed attempts when the locally configured credentials are used. On the switch, however, I receive "%TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond" when using locally configured credentials on the switch itself. We are running ACS v4.2.
I want to have a local user in ACS that is permitted to login to routers. I have TACACS with AD already working but cannot get a local user to work. I used to do this in ACS 4.x.I created a user in the internal identity store.I tried configuring a policy to allow this users TACACS authentication multiple ways to no avail. I cannot find a config example doc and cannot figure it out from the user guide as the documention is sorely lacking.
how I can assign a static IP to a user in ACS 5.2. I am able to do it in ACS 4.2, but I don't see the same options under 5.2. General idea is that users authenticate from our VPN appliance via RADIUS, and upon authentication, their static IP is passed back to the VPN device. I can attach an arbitrary field to my local users by going to System Administration -> Configuration -> Dictionaries -> Identity -> Internal Users, but how do I get that IP address passed back when the user is authenticated via Radius?
I know the way to configure the ASA to fallback to LOCAL authentication, if the Radius server is not available.
Now we would like to authenticate the local users, if the user is not found in the AD. Is this possible and how can I configure this with the new policies? I tested it with "dropping" when the user is not found in the AD, but then the Radius server will be marked as "dead" and the other AD users can't login for a given period. Maybe we can configure the dead time to 0, but this is not as nice it could be.
I am trying to configure an ASA 5505 running 8.3 to allow a priv 15 local user to be able to ssh into the device and be placed into priv 15 mode without having to execute the enable command and type the enable password.Right now when you log in as a priv 15 user you still have to execute the enable command and type the enable password to get to priv 15.
I'm a bit new to Cisco and i find this AAA a bit confusing..I've turend on AAA by:aaa new-model
Can I use this "default" list for WebVPN ? And what would be a different if i create new "sslvpn" list..Also when I'll be creating user for VPN remote access.. that user will also exist in local database and have access to router via SSH?Because the research I've done it doesn't seem you can group users in different "aaa groups" e.g. user admin belongs under "admin" aaa group which can do ssh to router, users for VPN can only do remote VPN access and not SSH and login into router.i saw ASA has some attribute for users called remote-user
•admin, in which users are allowed access to the configuration mode. This option also allows a user to connect via remote access.
•nas-prompt, in which users are allowed access to the EXEC mode.
•remote-access, in which users are allowed access to the network.
But i can't find this option in IOS on my 1900 Series ISR router.
(result) once logged in, it automatically showed running-config. However when I tried with PI 1.2 with this user (inout). I couldn't do configuration back.
reference [URL]
create certain user with read-only privilege while PI 1.2 is able to do configuration archiving ?
having LMS 4.0.1 is it possible to authenticate user on a group base and assign different privilege to different groups?. The user's group are available in the LDAP server.Do I have to use a TACACS/RADIUS server between the Ciscoworks LMS and the LDAP repository?
I´m looking for the best configuration to restrict a user to read-only. The restriction should be configured via CLI not TACACS+.
-Hardware: 3750 (probably not interesting for this question) -Oldest IOS: 12.2(53)SE1
The user should be allowed to: see the running-configurationtrigger all kinds of show-commandsping and traceroute from the device.The user should not be allowed to: upload/delete/rename files on the flash-memoryget into level 15 (not sure if I can avoid this)all other commands despite those from level 1 and those specified above.
I have created internal user on internal identiy store --> users with password & enable password , Similarly i have enabled max privilige level 15 under policy elements , authorisation & permission ,Device administration , shell profile .But i am unable to login into device using enable password , I am finding following error on my logg report
Failuire reason : 13029 Requested privilige level is too high .
I have cisco ACS 5.2 and external identity source as RSA secure ID.Currently when the RSA user login to AAA Network devices, User id & passcode prompt coming after giving the credential its going to user exec mode.Then after "enable" command again asking for Passcode giving passcode then user able to logged in successfully.
I need RSA users to get direct privlege level15 (privlege mode) ? no need to ask enable password ?
I checked this for local ACS users it is working and loca users getting directly privelege mode access...
my admin user is still being assigned privilege level 1, as shown in AAA Protocol > TACACS+ Authentication Details report.The report seems to show that the user is getting the right shell profile (Selected Shell Profile: Net-Admin -- is the one I setup for this user's group with both Default Privilege and Maximum Privilege set to Static 15). But still not the right privilege (Privilege Level: 1).Also, I found this document via Google: [URL] The router configuration examples all show this "aaa authorization exec tacacs+|radius local" command, which my device does not have.So I am wondering if I am not reading the ACS report right, or the device actually was assigned the correct privilge but that does not work without the "aaa authorization exec" command in the configuration?
In CLI we have users log in at priv 1 and use "enable" to increase privilege and do configurations. This allows "accounting" of command history. On the AIR-AP1121G-A-K9 (12.3(8)JED1) I cannot duplicate this for http login.
I can log in as a user at priv 1. When I try to go to a privileged link like "Security" I get prompted for a second login/pw. Nothing works here unless I have a second user defined at priv 15 and enter that login/pw. The problem is - that login/pw can be used to log in via http in the first place which bypasses accounting of the actual user. It also allows login to the CLI at priv 15 which I cannot permit.
We have implemented a local MAC address filter database on a WLC 4402. Right now, management access is restricted to a select few administrators. We would like to extend the ability of our PC services group to add MAC entries to this database via a script (avoiding the necessity to create Read/Write management user accounts). Is this possible? Is there a better way to accomplish this objective ?
I recently upgraded the firmware to 2.0.2.01-tm (from 2.0.0.19-tm). Now I noticed the RV082's local DNS server ("DNS Local Database" feature) does not work any more. Any URL-IPaddr combo I used to put in there was resolved prior to sending a request to the WAN's primary/secondary DNS server. It isn't a PC problem. I tested on different real and virtual machines, windows and Linux. Is there new "enable" switch somwhere?
End user client (Cisco Any connect/VPN client) -> ASA 5500 (AAA client) -> ACS server -> External RADIUS database.
Here ACS server would send the authentication requests to External RADIUS server.So, i have added the external user database (RADIUS token server) in ACS under External databases.I have added AAA client in Network configuration (selected authenticate using RADIUS(VPN 3000/ASA/PIX 7.0) from the drop down.
Here how do i make ASA recognize that it has to send the request to ACS server. Normally when you use ACS as RADIUS server you can add an AAA server in ASA and test it.But here we are using an external RADIUS server which has been configured in ACS, so how do i make ASA to send the requests to ACS server?
I work at a campus and use the WCS to control access to my network for staff and only internet access for students. The Staff are assigned Username/password thru active directory and the student uses another SSID with only WPA --a password for all. I was tasked with adding more securing for students -- by adding a user/password. I do not want them connecting to my Active Directory for two reason--security risk and I have too many to input (over 1000). So, I wanted to use our internal database to validate users. I create a webpage with "WebAuth" that opens my logon page from my site and validates the login fields against the database. It works and this allows the user to navigate thru my website but not outside the site. If they try an outside url it redirect them to my logon script. I now understand why, so I'm looking for code I can add to my logon page that would allow me to redirect me to the controller's (once users are authenticated by my database) to call the WCS controller so I can enter a preset username/password so the policy management file would allow them access. I presently use "External" and don't know if "Custom" would work. Finding a way in using a database instead of adding one person at a time?
I tried to authenticate and authorized Nokia/checkpoint Nortel/AD3 and Nortel 5510 platform using an 4.1 for windows ACS. the ACCESS-REQUEST is well processed bi the radius server wich send ACCESS-ACCEPT to the AAA Client (ie NORTEL or NOKIA), but i'have got privilege access denied on the Client side. RADIUS IETF Dictionnary is used for every device. all others Cisco Devices authenticate and are well authorized.
