I'm doing some tesing in SFE2000P linksys switch about the TACACS authentication. I have configured the switch accodringly to point my ACS server with key string. Now, I'm able to login into the switch with TACACS account in HTTP/HTTPS only and but, not with the TELNET access.
Still Switch is authenticating with the local user account only, when in TELNET access method.
I would like to find out if the Cisco SFE2000p supports Link-Aggregation in a stack. For instance Unit 1 interface 1 and Unit 2 interface 1 in the same LAG?
View 1 Replies View RelatedI have a pair of OLD Cat6500's running CatOS:
WS-C6509 Software, Version NmpSW: 7.6(16)
Copyright (c) 1995-2005 by Cisco Systems
NMP S/W compiled on Dec 22 2005, 16:37:19
System Bootstrap Version: 7.1(1)
System Boot Image File is 'bootflash:cat6000-sup2k8.7-6-16.bin'
System Configuration register is 0x2
I know these are no longer supported, but I have to ready them for migration. Recently a problem began with these switches. What happens is that when I telnet to them, I cannot authenitcate via TACACS. This works fine for all our other IOS equipment, just not for these 2 switches. The error is:" % Error in authentication" and then I get kicked back to the login prompt.
The odd thing is that when I connect to the switch via the console port, I can authenticate fine with TACACS.
CMS> /c 14
[Code].....
Iam using LMS 3.2. In short, there is 2 type of router, 2800series and 2900series. These device already join to TACACS server. When I try to sync archive I got:
- failed on 2900series
- successful on 2800series
I have doing same config (credential, snmp, protocol for sync archive), for those device on ciscoworks but why I find the error??
We have a group in TACACS ACS4.2. I configure it can do show command. When logged, it can do show command some parameters, like show ip interface, but it cannot do show running-config. it says "command authorization failed".
View 2 Replies View Relatedwe have a ACS server V4 installed on W2003 server ,when we make a telnet to an equipement on the wan the authentication pass on the first connexion ,but when we telent to a switch on the lan the first connxion fails and we need to retry to login .when i check the field attempt log on the ACS i dont find the field attempt.i find this issue in ALL switch on the LAN ,from the switch i can ping the the ACS server .this problem appear frequently?
View 1 Replies View RelatedWhile working in a 3560 all of a sudden I received the message "command authorization failed" while trying to issue certain commands.
It appears I lost my priv 15 authorization. We have seen this before, we do not have access to the ACS to trouble shoot the issue.I tried logging in a 2nd and 3rd time using tacacs and received the same error whenever I issued a command such as dir flash: , copy tftp flash or show run. At the time I was trying to copy IOS to the switch, I had a co-worker log in and it was fine for him and he completed the copy.
Once completed I logged back in and all was fine again. We suspect an issue with ACS? possibly a timeout of our TACACS authorization ?
I've been configured my device 6506-9 with TACACS+ server authentication: [code]
but when I tried to access the device only uses authentication local but not uses TACACs (with username/password defined) it can be an error in configuration? in the other devices of network this works properly, only it's wrong in Cat6506-E
So far i managed my switches with TACACS+, however now i've to deploy 802.1X, requiring RADIUS only. For what i know, ACS (i'm using 4.2) allows to define a device using only TACACS or RADIUS, but not both. Do i am right? Or there is a way to define an AAA client to communicate with the same ACS using both the protocols?
Supposing i am right, i was then considering the following options: - configure all of the switches to use radius for any service (authentication, authorization etc ec) This simplifies the task, but i lose the TACACS+ services for the switches. Is this a big loss?
- configure the L3 switches to use a second Loopback, just for RADIUS services. This would allow to still use the TACACS+ but would require a new network just for the RADIUS service; furthermore L2 switches doesn't support two IP addresses and would require anyway a migration to RADIUS.
A considerable administrative overhead, in other words. I'm not willing to deploy a second RADIUS (ACS, Windows, whatever), in this moment.
The key point is this: reading around i see Cisco documentation recommending always to use TACACS+ for management, but in this situation is not possibile. In general, every time the device has a role of network admission (switch or access-point) RADIUS seems to be the protocol of choice. Moving to RADIUS would have some major drawback or only a change in the communication protocol? (I know the difference between TACACS+ and RADIUS: tcp vs udp, encryption of the whole packet vs encryption of only the password).
I have more than 20 SF 300-24P 10/100 Managed Switch switches deployed and running in my office network. All these switches have web configuration utility enabled. We would like to enable telnet too. But for this I know I have to visit site to site, connect the switch manually with a laptop and enable telnet option. I am looking for how can I enable telnet in these switches using web-based switch configuration utility.
View 3 Replies View RelatedI have sf300, i didn't found the option to telnet it. default IP of the switch is 192.168.1.254, i can access it by HTTP.
also i'm not able to attach IP phone on voice vlan & computer on vlan 1 ,please share the step by step guide how to access the switch by telnet.
& how to make voice vlan 2 for IP Phones & Vlan 1 for PC.
I can telnet to switch from checkpoint firewall access port and from switch directly. I can ping/traceroute successfully to the switch. Access-lists 14 & 15 are allowing the traffic I want. The router on the other side of the FW has 2 static routes and a default static route set up.
Here is some of the config from my switch:service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryptionhostname xxxxx
enable secret xxxxxx
username xxxxxxxx password xxxxxxxip domain-name xx.xx.netaaa new-model
aaa authentication login default local enable line none[code].....
Not sure of checkpoint firewall config....I have run wireshark when trying to telnet and I get no syn-ack back from remote switch. Just 3 consecutive syn attempts.I have some switches I can connect to and they go right through the 3 way TCP handshake and I cannot find any differences in the configs between the successful connections and the unsuccessful connections.
configure Line Telnet on a Cisco SG300-10P switch.I am in config mode and enters line telnet,but when I do a show line,telnet still are disabled..
View 1 Replies View RelatedI have an SG300 authenticating telnet login to a RADIUS server. It allows me to log in at Priv level 1. when I try and enter Priv 15 mode, I'm prompted for a password which I don't appear to be able to set anywhere or know.
If I remove RADIUS and go back to Local authentication, telnet logs me in at Priv15 immediately.
We've got a SG200-18 switch that is to be used as a workgroup switch in our environment (SW Version 1.1.1.8). Working with CLI on big and mid-range Cisco-gear over the past two decades I'm having a hard time figuring out the following on the SG200:
o) I want to change the Management-VLAN from the default "1" to the management-VLAN used in our environment. Sure enough I created that vlan in the SG200-config, however when it comes to assigning the management-IP and VLAN for the management interface in the corresponding pulldown under "IPv4 interface -> Management VLAN" the only thing selectable is the default "1". (see screenshots enclosed)So how do I set a management VLAN different from 1?
o) How do I enable telnet/ssh-access to the SG200-18 - I'd be far more comfortable with a CLI-environment?
I HAD similair problem:[URL](Have ver 1.1) Forgot password. Restored to v1.0.0.86 via telnet Been playing around with telnet AND web based updates Read somewhere else (Web-based ONLY works with IE) (Tried Web-based and keep getting "Copy Failed/Undefined Error" and 0 Bytes transfered) Know to upgrade "Boot" first, then "Software Image" THEN reboot
Tried telnet (not through web-based startup) Can get to "lcli" (by Ctrl+Z twice)Retyped Username and Password:
At "console#" tried typing "copy tftp:///srw2024_16_boot-101.rfb boot" didn't work : "Must be valid URL or reserved keyword"
Where am I going wrong?
We have recently purchased SG 300-52Port Cisco Switch to support our Network but they constantly having some bizarre issues or I assume bugs, i.e. we cannot Telnet nor SSH to the switch now, whereas we were able to SSH before, we have set them up for Remote Log Services to get some syslogs and reports but no report have been generated nor logs,
I have done some testing through Wireshark and there are absolutely no reports / logs.We have some real issues with this switch and it’s hard to believe that this is a Cisco Product,
SG 300-52 Port Gigabit Managed Switch
Firmware Version (Active Image ) : 1.1.1.8
Firmware Version (Non-active ) : 1.1.0.73
Boot Version : 1.0.0.4
I want to remotely access Cisco 500 switches via TELNET and WEB BASED from a server. I dont know the ip addresses for Cisco 500 switches which are configured as backbone which the ip address assigned on the network is static ip address. Specifically I want to get their configuations inorder to get their specified assigned vlans on the network. I know the ip addresses for their specified cisco 500 switches' gateways. I know that cisco 500 switches can be accesses through web. Is there other ways to solve the problem apart from going onsite and connect to the cisco 500 switches using network cable since cisco 500 swithes dont have console ports?
View 1 Replies View RelatedHave an SRW2024 that I was updating firmware and it got interrupted. Now I can't access the switch from either console or IP. Switch will not pass traffic. Is there a way to get this switch completely reset so I reconfigure and use it again?
View 1 Replies View RelatedI am facing problem in configuration with SF-200-24P Switch . I am failed to configure two vlans on same access port i.e. data vlan and voice vlan. there is an option of auto voice vlan with vlan 1 and i changed to our voice vlan i.e. vlan 101 but didnt work. I tried many options. when i assign single vlan on each
access port it works . I have to configure like to work both data vlan and voice vlan with one access port. I worked on enterprise cisco switches its simple but on small business switch first time i am working.
with TFTP upgrade SRW2xxG4_FW_1.2.3.0.ros and WEB interface after the restart, the switch will not start, display HyperTerminal link. You can also restore the switches do not?
View 1 Replies View Relatedi provide 192.168.1.201 and port No.8150 in CP Plus DVR . I am able to login through Local system via IE with [URL] after pressing enter key Login window appears. I will type User ID as Admin and password 888888. now i am able to enter DVR and view all cameras. no problemin Beetal ADSL router ( ISP Router) i configured port forwarding as followsIP address 192.168.1.201 and Port No. 8150 both internal & external.Now i got internet IP address through MY IP Address.the IP address is 59.92.67.72 ISPs IP address for my Borad Band.through another internet with different different ISPI open IE and type [URL] got same loging window as in LANagain I enter User Id as Admin and password 888888but shows login failed Message through internet I got the same login window when i tried through LAN, but I am to unable login with a message login failed
View 1 Replies View RelatedI've been trying to set up my TP-Link WR740N router but it always give the error "Failed to Verify router settings" on the last step of the set up screen. Broadband: Globe broadband (Wired)Modem: Siemen Gigaset SE260 I'm also confused on the 2nd Set up screen, it gives the option to select Dynamic IP Static IP PPoEI've tried using the Dynamic IP and PPoE but still getting the same error message
View 1 Replies View RelatedI am having Cisco 3845 series router with c3900-universalk9-mz.SPA.151-4.M2.bin IOS . I want to install new Licence on it for DATA. When i am trying to install licence on it i am facing the error "% Error: License installation failed with error: XML parsing failed".
View 4 Replies View RelatedIf I choose to authenticate NCS users through Cisco ACS (5.4 in this instance) via TACACS, do I still have the ability to do accounting to track what changes they have made? I'm not getting anything in the TACACS accounting reports and I don't see anywhere to configure TACACS for accounting within NCS gui like I can on a WLC. I know that NCS has an internal audit trail but if a users account is both a local account on NCS as well as an account being authenticated through ACS does the Audit trail on NCS for that local user still contain the information about changes the user made? I ask because it looks like it does but I want to make sure I'm not going mad. Here is my example:
Local account username: NCS_Admin2AD account via TACACS username: NCS_Admin2
Audit trail for the NCS_Admin2 account on NCS looks like changes are being logged to NCS even though the user is logging in with their AD credentials via TACACS.
I have a Cisco ASA (8.2) setup with remote access for my users using Cisco VPN client. The authentication is passed off to my ACS 5.3 which then checks with AD. What I've done so far is create Access Policy rule where I define specifically the Location and NDG where the ASA is and then a DenyAllCommands command set. This should pass authentications just fine but this also gives those users the ability to remote connect directly into the ASA and login successfully. Even though there is a Deny Commands there I still would prefer they get Access Denied as a message. If I do a Deny Access on the ShellProfile then this stops the login authentication altogether.
View 2 Replies View Relatedhow to Configure ACS 5.x so LMS 4 users can authenticate via TACACS+? I have ACS 5.x setup and authenticating to Active Directory. Have changed the LMS 4.x Authentication Module to TACACS+. Have gotten past the user / password problem by configuring a local user in LMS 4.x. Now, am hitting the Default rule in ACS and Shell Profile is deny access..
View 1 Replies View RelatedI think i've got everything set up to authenticate against AD for Tacacs+ device logins. When i check the logs, i see:"24408 User authentication against Active Directory failed since user has entered the wrong password". This leads me to believe that it is checking AD correctly, however if i enter the password correctly for the same AD user, there is no log at all...no pass, no fail.
If i look at the Tacacs debugs on the switch, i see the following:May 25 10:55:07.927 CDT: TAC+: ver=192 id=874699084 received AUTHEN status = ERRORMay 25 10:55:09.932 CDT: TAC+: send abort reason=Unknown
Obviously the switch is communicating to ACS, and ACS is passing info back to the switch. ACS also appears to be communicating effectively with AD since it knows when i put in an incorrect password for the specific user.
How to be able to locate a sample, working configuration of tacacs+ authentication on the ASA5510?
View 2 Replies View RelatedI tried to configure TACACS+ authentication / authorization for NCS via ACS 4.2. For that I followed the configuration guide:
1. Configured the service for NCS with HTTP (see attachment)
2. Added the tasks to the user (see attachment)
When I try to login on the NCS it fails, in the logs on the NCS I see the following lines:
09/14/11 16:53:03.333 TRACE [system] [http-443-7] [TACACS+ AAAModule] Creating authorization socket - To Server: 192.168.49.14 - For User: netadmin
09/14/11 16:53:03.335 TRACE [system] [http-443-7] [TACACS+ AAAModule] Sending authorization request packet - To Server: 192.168.49.14 - For User: netadmin
09/14/11 16:53:03.336 TRACE [system] [http-443-7] [TACACS+ AAAModule] Receiving authorization response packet - From Server: 192.168.49.14 - For User: netadmin
[code].....
I found that TACACS should be available for network access with ACS 5.2:(url) But when I'm trying to create Rule tu allow PPP authentication against TACACS server I get error.
View 2 Replies View RelatedTacacs not working for 3 new 5508 WLC's...working fine for 6 old 4400 WLC's.
Before 7.116 code upgrade...I remember 5508 was working on and off and now they are not.
Same configs on SW, WLC and ACS.
Debug on WLC gives..below message when Tacacs is attempted..
*aaaQueueReader: Oct 25 09:20:41.700: tplus_processAuthRequest: memory alloc failed for tplus
Not sure why statistics show zero...?? Radius is working for users.
(wlc03) >show tacacs auth statistics
Authentication Servers:
Server Index..................................... 1
Server Address................................... 10.3.121.21
Msg Round Trip Time.............................. 0 (msec)
First Requests................................... 0
Retry Requests................................... 0
Accept Responses................................. 0
Reject Responses................................. 0
[ Code].....
I am running ACS 4.1.1.23 on a Microsoft server and I am trying to get TACACS to work with two Linux servers. The servers are capable of TACACS, are using port 49 and have the correct shared secret. I believe I do not have the devices configured properly on the ACS side. These 2 servers currently are using RADIUS and we are getting bit by the bug where the ACS application will start rejecting RADIUS authentication requests but still accept TACACS requests.
View 6 Replies View Related