Cisco AAA/Identity/Nac :: Nexus 5010 Allows TACACS And Local Authentication Concurrently

Jun 6, 2011

I am experiencing an issue where NX-OS on our 5010s is allowing both Local AND TACACS authentication concurrently.  If I don't configure any aaa authorization commands, the locally logged in user has unmitigated access to the device.  Once I enable aaa authroization, all commands issued by the locally logged in user are denied by ACS, but they can still log in to the device.  When I comb through the logs on the ACS server, I see successful logins when TACACS credentials are used, and also the failed attempts when the locally configured credentials are used.  On the switch, however, I receive "%TACACS-3-TACACS_ERROR_MESSAGE:  All servers failed to respond" when using locally configured credentials on the switch itself.  We are running ACS v4.2.

View 6 Replies


ADVERTISEMENT

Cisco AAA/Identity/Nac :: ACS 5.3 And TACACS + Authentication From VPN?

Mar 4, 2012

I have a Cisco ASA (8.2) setup with remote access for my users using Cisco VPN client. The authentication is passed off to my ACS 5.3 which then checks with AD. What I've done so far is create Access Policy rule where I define specifically the Location and NDG where the ASA is and then a DenyAllCommands command set. This should pass authentications just fine but this also gives those users the ability to remote connect directly into the ASA and login successfully. Even though there is a Deny Commands there I still would prefer they get Access Denied as a message. If I do a Deny Access on the ShellProfile then this stops the login authentication altogether.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: NCS TACACS+ With ACS 4.2 - Authentication / Authorization?

Sep 13, 2011

I tried to configure TACACS+ authentication / authorization for NCS via ACS 4.2. For that I followed the configuration guide:
 
1. Configured the service for NCS with HTTP (see attachment)
 
2. Added the tasks to the user (see attachment)
  
When I try to login on the NCS it fails, in the logs on the NCS I see the following lines:
 
09/14/11 16:53:03.333 TRACE [system] [http-443-7] [TACACS+ AAAModule] Creating authorization socket   - To Server:  192.168.49.14  - For User:  netadmin
09/14/11 16:53:03.335 TRACE [system] [http-443-7] [TACACS+ AAAModule] Sending authorization request packet  - To Server:  192.168.49.14  - For User:  netadmin
09/14/11 16:53:03.336 TRACE [system] [http-443-7] [TACACS+ AAAModule] Receiving authorization response packet  - From Server:  192.168.49.14  - For User:  netadmin

[code].....

View 7 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 TACACS+ And Two Factor Authentication?

May 1, 2013

I want to setup two factor authentication via ACS 5.2 TACACS+ without having to use a token (such as that by RSA).  Is there a way to do it?
 
More info:
 
Users from unconnected AD domains will be connecting to the routers and switches.There is a certificate server available to generate certificates.SSHv2 is the current login protocol.

View 5 Replies View Related

Cisco AAA/Identity/Nac :: ASA5545 - Allow Tacacs Authentication

May 14, 2013

I am trying to access an ASA 5545 using TACACS+.  I have the ASA configured as follows:

aaa-server tacacs+ protocol tacacs+
aaa-server tacacs+ (inside) host 10.x.x.x
[code]....
 
I have added the ASA in ACS with the correct IP and the correct key. When I try to test the authentication via test aaa-server authentication tacacs+ host 10.x.x.x username Cisco password Cisco, I get:
 
ERROR: Authentication Server not responding: No error.

View 20 Replies View Related

Cisco AAA/Identity/Nac :: Setting Up ACS 5.2 TACACS Authentication With JUNOS?

Aug 6, 2012

I have ACS 5.2 and JUNOS 10.6.x  I setup 2  classes eng-class and ops-class  with read/write and read-only permission here is my configuration on JUNOS
 
set system login class eng-class idle-timeout 15
set system login class eng-class permissions all
set system login user engineer full-name “Regional-Engineering”
set system login user engineer uid 2001
set system login user engineer class eng-class
set system login user engineer authentication plain-text-password xxxxxxx

[code]....
 
I have 2 separate Authorization policies for engineer and operator group.Result,

1.  engineering group is working fine.

2.  the operator group its not working im unable to login to device under this group "authentication failed" but on the ACS logs its successfully authenticated.

3.  Web authentication is not also working for bot group.

View 14 Replies View Related

Cisco AAA/Identity/Nac :: W2003 / ACS Tacacs Authentication Failed

Jun 27, 2012

we have a ACS server V4 installed on W2003 server ,when we make a telnet to an equipement on the wan the authentication pass on the first connexion ,but when we telent to a switch on the lan the first connxion fails and we need to retry to login .when i check the  field attempt log on the ACS i dont find the field attempt.i find this issue in ALL switch on the LAN ,from the switch i can ping the the ACS server .this problem appear frequently?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Juniper JWEB Authentication Via TACACS To ACS 5.1?

Dec 20, 2009

Having an issue with authenticating Juniper J Series and SRX devices with ACS 5.1 The devices can authenticate using TACACS to ACS 5.1 via the CLI (telnet / ssh connections) but cannot using the JWEB management page.Doing packet captures between the Juniper devices and the ACS 5.1 box shows the Authenticate phase passing, but it does not progress onto the Authorisation phase.  There is nothing of interest in the ACS Logs (Even with the debugging levels turned right up) The same Access service is in use for both the CLI and GUI (JWEB).Using ACS 4.1, both CLI and JWEB authentication works.[URL]I'm thinking the issue is with ACS 5.0 / 5.1 and it maybe not liking the response from the Juniper (even though it should be the same mechanism)

View 6 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Authentication Against Microsoft AD / TACACS Authorization

Feb 2, 2013

I am trying to configure ACS 5.2 to do all authentication against Microsoft AD, but use local identity groups to determine TACACS+ authorization. 

View 1 Replies View Related

Cisco AAA/Identity/Nac :: How To Configure User Authentication Via TACACS On UCS 1.4 With ACS 5.2

Aug 18, 2011

how do i configure user authentication via TACACS on UCS 1.4 with ACS 5.2?  My TACACs connection works, and my user authentication is successful, but i can only get read-only rights.  I have tried several versions of "cisco-av-pair= role=admin" both as mandatory attributes named role and as cisco-av-pair=role , with "admin" as the value, and i still get read-only.
 
When i attempt to find any documentation, it only describes ACS 4.2, which is another problem i have with most documentation for new cisco products (i have this exact issue with my NAMs, nothing i do to change the attributes results in successfully logging into the NAM, and all config guides are written in 4.2 speak).
 
is there any possiblity cisco is going to release some documentation on how to convert 4.2 speak to 5.2 speak?

View 8 Replies View Related

Cisco AAA/Identity/Nac :: Configuring WLC 4402 TACACS+ Authentication Using ACS 5.0

Aug 22, 2009

We added AAA client in the Cisco ACS 5.0 for WLC 4402 (TACACS+ Authentication) and configured WLC 4402 to use TACACS+ authentication for the management access. We can't get this work for some reasons.
 
Other Cisco routers and switches all worked fine with TACACS+ authentication. This is a TACACS debug output from the WLC;
 
Sun Aug 23 16:19:06 2009: tplus response: type=1 seq_no=2 session_id=f59bbf0b length=15 encrypted=0
Sun Aug 23 16:19:06 2009: TPLUS_AUTHEN_STATUS_GETPASS

[Code].....

View 24 Replies View Related

Cisco AAA/Identity/Nac :: TACACS Nexus 5548 Authorization?

Jan 3, 2012

I am having an issue with authorization on the Nexus 5548. Note: The tacacs configuration has and still works correctly with all non-Nexus gear.
 
Authentication succeeds, and initiatial authorization passes. However, all sh and config commands fail, though AAA Autho Config-Commands .... and Commands Default Group <Grp Name), are configured.
 
ACS generates the following error: 13025 Command failed to match a Permit rule. The Selected Command Set is DenyAllCommands. I created an AllowAll, but am unclear how to associate this with Access Policy.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 Failing To Authenticate Tacacs Authentication To ASA Firewall?

Jan 5, 2012

ACS 5.1 is failing to authenticate tacacs authentication to the ASA firewall, getting

View 6 Replies View Related

Cisco AAA/Identity/Nac :: 6506-9 / TACACS+ Server Authentication Failed

Mar 15, 2010

I've been configured my device 6506-9 with TACACS+ server authentication: [code]
 
but when I tried to access the device only uses authentication local but not uses TACACs (with username/password defined) it can be an error in configuration? in the other devices of network this works properly, only it's wrong in Cat6506-E

View 6 Replies View Related

Cisco AAA/Identity/Nac :: TACACS Authentication Working Via SSH But Not HTTP (ACS 5.1 / 3560)

Aug 26, 2010

My switches are able to successfully authenticate user access against ACS 5.1 via SSH with TACACS+, but I am not able to authenticate via HTTPS with TACACS+.  I don't even get a log in ACS when attempting to authenticate via HTTPS.
 
Here is my AAA config, followed by a debug:
 
aaa new-modelaaa authentication login ACCESS group tacacs+ localaaa authorization consoleaaa authorization config-commandsaaa authorization exec ACCESS group tacacs+ aaa authorization commands 1 Priv1 group tacacs+ none

[Code]......

View 8 Replies View Related

AAA/Identity/Nac :: Nexus 7000 Crashes Using Tacacs To ACS 4.1 Server

Apr 9, 2012

I see there is a similar post for Nexus 5000 to ACS 5.2.  Identical symptoms.  The supervisor crashed and switched to secondary.  Is there a comparable field for ACS 4.1 that needs to have something in it? 2012 Apr  9 11:07:55 va-core02 %$ VDC-1 %$ %SYSMGR-2-SERVICE_CRASHED: Service "Tacacs Daemon" (PID 9390) hasn't caught signal 11 (core will be saved). 2012 Apr  9 11:07:55 va-core02 %$ VDC-1 %$ %SYSMGR SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG: This supervisor will temporarily remain online in order to collect show tech-support. This behavior is configurable via 'system [no] auto-collect tech-support'.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.2 Tacacs Custom Attribute For Nexus 1000V

Jul 18, 2011

how to add tacacs custom attribute to ACS 4.2 for Nexus 1000V:shell:roles="network-admin admin-vdc"In the interface configuration I've added new service, service - shell, protocol - tacacs+.In the group settings I've enabled this attribute configuration. And it is not works. Default privilege level is assigned to any user with access allowed.

View 8 Replies View Related

Cisco AAA/Identity/Nac :: Setup Tacacs Config Onto New NEXUS 5000

May 26, 2011

I m trying to setup a Tacacs config onto my new NEXUS 5000 series.Nevertheless the authentication doesn't work.Actually I followed the config guide but something is not working or missing.I have setup everything through VMWARE with ACS installed on a Windows server.

View 20 Replies View Related

AAA/Identity/Nac :: ACS 5.4 - TACACS Authentication - Drop Straight Into Enable Mode?

Dec 5, 2012

I successfully authenticate through ACS to my Identity Store, but only get dropped into a non-enable prompt: ciscoasa> How can I get an Authenticated user directly into enable mode?

View 3 Replies View Related

Cisco AAA/Identity/Nac :: N5000 Same User In Tacacs / Local Database With Different Privilege

May 15, 2012

i am running NX-OS image n5000-uk9.5.1.3.N1.1.bin on the nexus 5020 platform.i have configured authorization with tacacs+ on ACS server version 5.2 with fall back to switch local database.a user test with priv 15 is craeted on ACS server, password test2 everything works fine, until i create the same username on the local database with privilege 0. ( it doesnt matter if the user in local database was created before user in ACS or after ) e.g.:  username test password test1 role priv-0   (note passwords are different for users in both databases)
 
after i create the same user in local database with privilege 0,if i try to connect to the switch with this username test and password defined on ACS,  i get only privilege 0 authorization, regardless, that ACS server is up and it should be primary way to authenticate and authorizate the user.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: Catalyst 3750 - TACACS Authentication Stopped Working

Jul 25, 2011

We have a Catalyst 3750 switch that failed over to local login after the Tacacs authentication stopped working. I went through the configuration settings and everything appears to be identical to another switch in this same building.

View 4 Replies View Related

AAA/Identity/Nac :: ACS 5.2 Local Authentication With LDAP?

Sep 13, 2011

is it possible to validate the ACS Application Accounts against an external repository like LDAP? I have found that LDAP can be used only as Identity store to authenticate users on AAA clients and Network devices.

View 0 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Local User Authentication

Nov 12, 2012

I want to have a local user in ACS that is permitted to login to routers. I have TACACS with AD already working but cannot get a local user to work. I used to do this in ACS 4.x.I created a user in the internal identity store.I tried configuring a policy to allow this users TACACS authentication multiple ways to no avail. I cannot find a config example doc and cannot figure it out from the user guide as the documention is sorely lacking.

View 5 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Authentication With Local And Global ADs?

Jan 6, 2012

I am facing authentication issue with ACS 5.2. Below is AAA flow (EAP-TLS),

- Wireless Users >> Cisco WLC >> ADs <-- everything OK
- Wireless Users >> Cisco WLC >> ACS 5.2 >> ADs <-- problem
 
Last time I tested with ACS, it worked but didn't do migration as there'll be changes from ADs. Now my customer wants ACS migration by creating new Group in AD, I also update ACS config. For the user from the old group, authentication is ok.For the user from the new group, authentication fails. With subject not found error, showing the user is from the old group.
 
Seems like ACS is querying from old records (own cache or database). Already restared the ACS but still the same error.
 
Note: My customer can only access their local ADs (trusted by Global ADs). Local ADs & ACS are in the same network, ACS should go to local AD first.How can we check or make sure it?

View 3 Replies View Related

Cisco AAA/Identity/Nac :: Radius Authentication With ISE And Nexus 7000

Mar 24, 2013

i am trying to assign a right role for a user who authenticates to nexus 7k switch via radius. i am using cisco ISE version 1.1.1.268 and the nexus version is    5.0.2,I have created a role on nexus.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Nexus 7009 Using Radius Authentication?

Mar 13, 2012

I have setup my radius server access on the Nexus but am unable to authenticate through putty. If I do a radius-server test on the Nexus it says I authenticate. Here is the log I am getting.
 
 2012 Mar 14 16:03:21 switch-a %AUTHPRIV-4-SYSTEM_MSG: pam_unix(aaa:auth): check
pass; user unknown - aaad

[Code].....

View 1 Replies View Related

Cisco WAN :: Nexus 5010 Upgrade Required

Nov 4, 2010

We have two Nexus 5010 to test the solution. As part of the testing we upgraded the boxes from 4.2.1.N1.1 to 5.0.2.N1.1 and after the reboot the switch lost all of the VLANs. We put the VLANs back and when we got to the private VLANs we got the following error:

%PRIVATE_VLAN-2-PVLAN_ASSOC_UP_FAILED: Failed to bring up the association between 530 & 531

View 4 Replies View Related

Cisco Switching/Routing :: Nexus 5010 With 1G And 10G Uplinks In VPC?

Aug 12, 2012

I currenty have a Nexus 5010 connected to a core 3750X switch stack  in a VPC trunk using 2  1Gbps links.  I want to move this link to 2  10Gbps links without losing connectivity.  So I want remove a 1G link  and move it to 10G and then once that's up move the other 1G link to 10G  hopefully without losing connectivity.  So the question is, can I have a  1G and 10G link between the Nexus and 3750s in the same virtual port  channel without causing problems?

View 3 Replies View Related

Cisco Switching/Routing :: Nexus 5010 Rebooted Itself?

Feb 9, 2013

Our Data Center Switch (5010) rebooted itself today, underneath the captured screen
 
NX5010-1(config-vlan)#
Broadcast message from root (console) (Sun Feb 10 14:22:41 2013):
 
The system is going down for reboot NOW! 
 
NX5010-1# sh system reset-reason
----- reset reason for Supervisor-module 1 (from Supervisor in slot 1) ---
1) At 740938 usecs after Sun Feb 10 14:22:41 2013
    Reason: Reset triggered due to HA policy of Reset
    Service: nohms hap reset
    Version: 5.0(2)N1(1)

[code]....

View 2 Replies View Related

Cisco Switching/Routing :: Nexus 5010 - Only See Two 1 Gb/s SFP Fibre Modules

Nov 23, 2012

we have a old Nexus 5010 running version 5.0(3)N1(1)it is in a franckenblock(like frankenstein) ie . we bought the parts and create our own system design before VCE was created. He have since bought VCE V block for our production sites. we use the franc ken block to test before we migrate to the production v block 300 FIX the issue we have is the 5010 will only see two 1 Gb/s SFP fiber modules in the first 12 slots. All these slots are dual 1g/10G. If we add more than two, it claims not to see them. We tried swapping the sfp and using both sfg-GE-MM and GLC-SX-MM moduels, no difference at all 1g sfp are in the first 5 slots. only the first two slots are up.the others say "Link not connected" or "SFP not inserted"all five links are the same SFP and are plugged in other switches.the green link lights are on plugged in SFP, even when the CLI states they are not plugged uni tried both two types of 1 Gb/s SFP. sfg-GE-MM and GLC-SX-MM ,i move the sfp between slot 1,2 and 3,4,5. nothing changed,From "sh int brief" you can see that it can see the sfp ie they are all 1Gfrom "sh int status " it sees 1g but why does it say type 10G?why when i go to the "int e 1/5" and try switch port mode now, it can't mode and trunk at now there (;also how to i stop or clear EU51 %SYSMGR-2-TMP_DIR_FULL: System temporary directory usage is unexpectedly high at 87%.i put as much info in the attached file as i could.

View 1 Replies View Related

Cisco Switching/Routing :: Nexus 5010 Interconnected With Two UpLinks

Dec 11, 2011

We are looking for some latency in our net and I am trying to check if our STP implementations is running correctly - we have a simple flat network here and no blocked ports here - just two nx 5010 which are interconnected with two uplinks.A remote site - mirrored setup - with 2 10G dark fiber connections - one for each nx5010 - is connection a DR site. I have split the two sites in two stp domains by enabling bpdu-filter on the vpc between the two sites.

I have been running wireshark on the local segment for some time and see the STP RST ROOT announcement every 2. seconds  - this is probably normal ? I was looking for some alternate root negotiation packets which would cause the mac tables to be flushed.

View 2 Replies View Related

Cisco Switching/Routing :: Nexus 5010 - Unable To Create More Than 256 VLAN In N5k

Jun 23, 2012

I am not able to create more than 256 VLAN in Cisco Nexus 5010 switch. While creating I am getting "No VLAN resources available for VLAN creation" Details below -
 
Switch model - 5010
Software : NX OS 4.0 (1a)
 
Error Message:
Nexus_5010(config)# vlan 417
ERROR: No VLAN resource available for VLAN creation.

View 5 Replies View Related

Cisco Switching/Routing :: VPC Peer-link Between Nexus 5010 And 5020

Aug 7, 2012

I'm trying to create a vpc between a Nexus 5010 and Nexus 5020 switch. I recently upgraded the software so they are running the same version. I connect get a vpc link. Is there something wrong with my setup? Is a vpc between a 5010 and 5020 even possible? They are connected using a pair of Intel X520's in 802.3AD teaming mode. [code]

View 2 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved