Cisco :: ACS 5.3 User-based / Custom Enable Passwords?
Mar 23, 2012
I've installed Cisco ACS 5.3. After I created several internal users (defined password and enabled password), Identiy Groups, Access Polices, Network Devices and AAA Clients (e.g. Cisco 1841) for Radius and configured my Router like this:
...
aaa authentication login VTY group radius local-case
aaa authentication enable default group radius enable
....
Now I'm able to login successful using my internal User. But if I try to use enable to enter the enable level I'll receive the message "% Error in authentication." when I use the defined enable password.
In the ACS logging I'll can see that "$enab15$" is missing. If I setup a user name "$enab15" I can login to enable level, but what have I to do, to use the custom enable passwords?
Step 1.2 - 1.5 is requiered for both (Radius and Tacacs). Then you have to switch to 2.1-2.7 for Radius or 3.1 - 3.7 for Tacacs authentication.
View 1 Replies
ADVERTISEMENT
May 30, 2012
I typed such commands:Code:
View 3 Replies
View Related
Nov 8, 2011
We have one Cisco 2960 Catalyst switch.Rule Title: The administrator will ensure passwords are not viewable when displaying the configuration. Right now my user passwords are visible in plaintext. I tried #username <admin> password 7 - but everything I try there is an error I also tried #username <admin> secret but it says I can't have both a secret and password for a single account.
View 1 Replies
View Related
Feb 9, 2012
I'm just wondering, is it possible to find out or recover the passwords for users and pre-shared key for tunnel-group? The VPN connection was confiigured on ASA5505 before me, but no login details were left.
View 3 Replies
View Related
Aug 9, 2011
Using Custom Reports from Reports> Report Designer> User Tracking to create an end host report we get this error message: the syntax is not valid the system cannot find the path specified.
View 9 Replies
View Related
Aug 23, 2012
A short background. Our corporate SSID is being migrated from using PEAPv0 to EAP-TLS. This restricts access only to company notebooks. Additionally we have barcode scanners which are used to inventory assets. Those devices are not able to use EAP-TLS as they cannot be integrated in the domain and being unable to do certificate based authentication.
As a workaround we planned to use another SSID with access to the same network but using PEAPv0 as authentication method, basically the same SSID but with a different name. As this naturally allows anyone to access the corporate network with a valid username/password I now wanted to add another step into the authentication process - the MAC of the device. I know I can do the filtering at the WLAN controller, but as it has a limited database as well as the fact that it is cumbersome to maintain the MAC list on all the controllers I thought I can do it over our ACS system.
I am now trying to accomplish the following: The user gets authenticated via the internal user store, which is succesful. Now I want to authorize the user via the MAC address, which is stored in the internal host store of the ACS, if access is granted or not.
For this I created the following policy:
Service Selection Policy -- (Rule based result selection)
-- (NDG:Device Type in All Device Types:Wireless And RADIUS-IETF:Called-Station-ID contains <SSID>) | Result: PEAP access
-- Default | Result: DenyAccess
Service PEAP access Identity: Internal Users -- (Single result selection) Authorization -- (Rule based result selection) -- Internal Hosts:HostIdentityGroup in All Groups:Valid_MACs
When I then try to access the wireless network I won't get authenticated. The error I get, when I look into the logs is: 15039 Selected Authorization Profile is DenyAccess
Is it not possible to use one identity store as "attribute database" for the other identity store?
View 5 Replies
View Related
Feb 26, 2011
I have 4 story hotel with 40 rooms, 10 rooms in each floor, i want to setup wifi network to cover all the rooms, what should i do or what instruments to use, is it possible to make user based setup for each room.
View 2 Replies
View Related
Sep 8, 2012
I want to give limited access to our first level support so that they can execute certain basic commands like, port vlan change, access port shut/no-shut on Cisco 6509 and 3750E switches IOS based. I want to restrict them to only few options so they can not make changes to uplink (TenGig) ports and can not issue reload command etc. We do not have TACACS. What is the best way to achieve this?
View 2 Replies
View Related
Nov 30, 2011
is it possible to create some Configuration Template that pushes configurations only to switches or interfaces with a certain actual existing configuration element- e.g. a certain interface description?
Example:Template Parameter Mask asks User for an Interface Description- the User enters e.g. "A101" Second Parameter asks User for an access vlan to deploy to this interfaces- e.g. " 10"
So during deployment LMS make a "switchport access vlan 10" only on interfaces that contain the description "A101".
I know this is possible via Compliance Check/Deploy, but we want to make this more User friendly and flexible so that e.g. a Helpdesk Member can use this Template to easily change the VLAN based on a interface description (which refers in this case to a CAT5 outlet label).
View 1 Replies
View Related
Feb 12, 2012
I have a cisco 2950 switch, connected with 4Mbps of internet and number of users will access the internet. There is no restraction on bandwidth limit for users, if any body use high download the remaining users are facing the slow browsing problems.
So, if i can put a bandwidth limitation for every users the problem will be solved. how to restract the bandwidth on user bases.
View 4 Replies
View Related
Apr 19, 2013
Found you on Google and prays that the regulars here will take pity on a former Juniper admin. I've got a brand new shop to handle that is all Cisco including CUCM 8.x and I have zero Call Manager experience. How to enable international calling for a single user
[code]...
brief flow/steps for making sure a user can dial international? I figured it was as easy as making sure their DN CSS had the ability to do so, but apparently not.
View 5 Replies
View Related
Mar 27, 2012
how to perform UBRL User Based Rate Limiting on ASR1000 like we can do it on Catalyst6500?
View 3 Replies
View Related
Apr 26, 2012
I want to be able to gather some time metrics based on source IP, and destination port. Is it possiable to track how much time a user spends using a service based on it's port number. I have figured out how to capture all the data, and I can then look at timestamps, but I would like a better way if possible. Can this be done at the firewall, or do I need a different appliance?
View 1 Replies
View Related
Apr 29, 2011
I can't seem to enable in ASA with a non-15 privilege level user configured in ACS 4.2 (tacacs).When I enable in IOS device, it enables and "show privilege" shows level 10 as expected. ACS should be configured correctly as it works fine with IOS. User is not set with explicit settings. Group is set with "max enable level" 15 and "shell exec priv level" 15. The enable password is set to the internal ACS PAP password. Works fine in IOS.When I enable in ASA, it fails to enable, and ACS log says "Tacacs+ enable privilege too low". I suspect that ASA tries to enable into level 15 explicitely. If I try to issue "enable 10" command in ASA it says: Enabling to privilege levels is not allowed when configured for AAA authentication. Use 'enable' only. [code]
View 2 Replies
View Related
Jun 17, 2011
how do i change the telnet and enable and vpn user password on asa 5570.
View 4 Replies
View Related
Sep 17, 2012
I have a Cisco 6509 with IOS "s222-ipservicesk9_wan-mz.122-18.SXF16.bin"I need to enable dot1x on user's ports on the switch. each user is connected to the switch through the IP phone.
I just found out that I can not enabled dot1x on trunk port. I have tried to use "switchport voice vlan " but I got:
Switch(config-if)#switchport voice vlan 123
Command rejected: Gi7/20 is Dot1x enabled port.
let me know what should I do to get dot1x working?
Note: I have connected a laptop directly to the port and dot1x is working fine.
View 5 Replies
View Related
Jan 18, 2012
How do I...add a dos based computer to a network running windows 2003
View 1 Replies
View Related
Mar 29, 2011
if there was a way in which i could get every username and password associated with my email, sent to my email account. I want to delete some old accounts and stuff but where ive made so many ive forgotten all the passwords and usernames ect?
View 3 Replies
View Related
Jul 19, 2011
We have two ASA's 5540, running IOS 8.2(4). Is there a command to find out the password that we setup for VPN Load balancing? I recall there was a command that you type under CLI and it will display all passwords.
View 3 Replies
View Related
Feb 28, 2012
Found a script on the wiki http:/[url]....I have run it with four commands:
conf t
username admin privilege 15 secret password1
exit
wr mem
exit
However the output file shows me that I have an error:
Command Issued: conf t
Enter configuration commands, one per line. End with CNTL/Z.
Command Issued: username admin privilege 15 secret password1
Line has invalid autocommand "username admin privilege 15 secret password1"
Command Issued: exit
Command Issued: wr mem
Building configuration...
[OK]
I found some sites that talked about "A" script not knowing that it is a new line and tries to send additional chare to the terminal. Obviously not specific to this script.Do I need to escape the end of line with a ' or ' for it to know that it is a new command? I have about 50 Routers and 100 Switches I need to change a password on.
View 15 Replies
View Related
Jan 5, 2012
Is there a way to reset the device and start all over again. The person who set this up is no longer with the companyand did not detail the information. We installed a new t1 line with new IP addresses and need to set this to connectwith our remote location. And I am not knowledgeable at all on how to configure this.
View 1 Replies
View Related
Aug 4, 2012
At the school I live in various sites are blocked so I need to use a proxy to access them. Is there any way that someone could steal my password or something while I use one? Also, let's say that I use a proxy in one web browser (let's say Opera) to view a blocked site, but then use a different browser (Firefox) with my normal IP, would I be able to use Firefox with no worries if I need to check something like my bank account? Basically, can you restrict them to one program so you can use personal information on one and normal browsing on the other?
View 1 Replies
View Related
Feb 9, 2011
can a wireless router with keylogger get password for myspace or facebook.if someone is loged on my wireless network.like if there using a ipod or compute
View 3 Replies
View Related
Aug 14, 2012
I'm currently looking for a way to change all of our Laptop & Workstation (Approx 250+ machines) BIOS passwords using a remote tool if possible. The majority of laptops are Latitude and the workstations OptiPlex although most of the laptops have BitLocker activated. We also use Empirum software to push out software.
I have been looking around and into using the Dell Client Configuration Utility and also the OpenManage tool although I'm not too sure if they would work for us due to us using BitLocker.
View 1 Replies
View Related
Mar 15, 2012
I have a TP-Link Wireless Router (TL-WR340G) and I use it for both Wired and Wireless connection. I have two desktops that connects to the router through cables and I also have 2 notebooks that connects through WiFi.
Now, I want to know if there is any software that can generate passwords which I can assign into individual PCs that connects with Wifi. For example, Notebook #1 has the password "abcdefghij" and the Notebook #2 has the password "1234567890" and they can both connect to the WLAN.
View 2 Replies
View Related
Feb 20, 2012
Am setting up Cisco 3750 for the first time via CLI
1. what is the procedure for configuring passwords on the device.
2. how can i stack 3 switches in a site .
View 1 Replies
View Related
Sep 17, 2012
I recently purchased a new laptop computer and since I already had a wireless router I thought that I could get on line easy but, it seems the password I had written down does not work. I called my cable co. Charter to see if they could correct it. Well Charter changed it to something only God knows. Now neither Charter nor myself can make my laptop access the web without directly plugging into the router. What good is a wireless router that no one knows the password too? How I go about changing a password that I do not know and neither does my ISP.
View 2 Replies
View Related
Apr 27, 2012
I just procured Cisco 3560V2- 48PS-S i would like to know how to set it up from scratch:
1. configuring passwords: enable and privilege
2. Creat Vlan , such that systems connected to the Vlan can connect to internet.
3. enable routing protocols
4. How do i use the switch as a default gateway for the systems on the vlan
5. how do i make sure the desktops connected to the switch are browsing the internet.
View 3 Replies
View Related
Mar 26, 2013
Currently have an ASA 5545. What I want to do is allow our support team to perform ALL show commands (up to and including show run) but not enable them to perform ANY configuration changes on the devices (not get into config t). This is to allow them to check ARP tables, routing protocol status, etc
i don't have access to the ASA at the moment and haven't been able to figure it out in IOS, i'm assuming its not too hard.
View 1 Replies
View Related
Jul 6, 2012
I've discovered that the DDNS update client in the RV042G does not support passwords that contains spaces. This is the first router I've run into that didn't like it.
View 1 Replies
View Related
Oct 28, 2012
I have a 2514 Router that i have tried numerous times to access the break sequence and do a pwd reset, while connected to the console port.. How ever its whopping me good..
[code]....
View 4 Replies
View Related
Oct 10, 2012
I want remove saved passwords in 2003 server with which XP clients login
View 1 Replies
View Related
Aug 20, 2011
We've recently installed Windows Server 2003 at our small office for data storage, and have set up shared folders in the Win Server 2K3 for access from about a dozen Win XP Pro machines.Upon the first access of these shared folders from a Win XP Pro machine, we're required to enter a User Name & Password for the Win Server 2K3 machine:Is there a work-around for this? Perhaps some method in WinXP Pro to save the username/password? As it stands now, any time one of the WinXP Pro machines gets rebooted, or if the server gets rebooted, users of the Win XP Pro machines have to re-enter the username/password, and I'd like to find if there's away around having to re-enter that info.
View 5 Replies
View Related
