We have CISCO ASR 1002 router on our DC, I want to enable TACACS on this router.what is the usage of key, we need a separate key for every device? or. [code]
View 9 RepliesI was asked to configure a new ASR 1002 today and after successfully puttintg the config on the router (via TFTP) the router will no longer communicate with anything. There is nothing in the config to cause this (it was actually pulled off a working production ASR 1002) and I am unable to ping a local loop back IP while consoled into the router?? I removed the config, reloaded the router and configured a new loop back - same issue cannot ping the loop back or anything else connected to this router.
View 7 Replies View Relatedi have a question about multiple TACACS Groups. I want to archive the following:
A Cisco 888 is managed by me and a Provider Support Team. Since we both want to access our own TACACS Server, i want to create two TACACS Groups. Is it possible to me, to bind a Tacacs Group to one Interface, and the second TACACS Group to another ? Means that our stuff is connecting to the LAN Interface FastEthernet0 that is applied to the SVI in V LAN 1.
The service technicians from the Provider are connecting to the external Interface or through a possible Lo. (another IP). I do not want to mix our 2 TACACS+ Server and theirs together in one Group. So have anybody tried this before ?
I need to know, can i create svi on the ASR 1002 ?
View 2 Replies View RelatedSince a upgrade in IOS XE 3.0.9, our ASR 1002 have a problem with the DHCPDISCOVER.
View 1 Replies View Relatedwe are replacing network equipment at one of our sites. The network will have 12, 3750X switches(6 stacks) - one stack will be the core. A 1002 will be the WAN router to the Main campus. The 1002 will connect to the core via 2 ethernet cables. I'm debating whether to use L3 or L2 between the router and Core. I've heard that routing is more efficient if L3 is used and also I will be able to create an L3 etherchannel between the 1002 and Core switch. See the attached doc.
View 6 Replies View Relatedi've heard that it is now possible to use Vlan 1002 -1005, perhaps only on certain devices.
View 3 Replies View RelatedI have been experimenting with acs 4.2 and a cisco asa 5510. I have managed to authenticate the ASA users with my tacacs server. The user "test" is authenticated with the tacacs server, and can log in. But the enable password is wrong, because i dont know where to place it in the tacacs server.
Now my question is, where do i set my enable password when authenticatig with tacacs+. And for this i mean in the acs 4.2, i know how to do it on the asa.
We are having Cisco router 1002 ASR and 2841 switch. Some times perticular VLAN user will not be able to access the network but from the same switch others VLAN users can able to access. We were getting ARP entries in router but we cannot ping the IP's. Even we clear the ARP entries. Once we restart the switch users can access the network. We have changed vlan ports, uplink too. but problem not solved. and we observed CPU utilization will be going 70-80% some times and at same time switch hangs.
View 3 Replies View RelatedCan any share some useful links on how this works and how to configure it? Do you still need to configure FHRP or does configuring redundancy take care of active/standby relationship between the ASR's?
View 2 Replies View Relatedprovide a sample configuration to use Cisco Secure ACS 4.2 to enable command authorization using TACACS.
View 8 Replies View RelatedI am trying to migrate an ACS 4.1.1(24) using the migraton tool to ACS 5.2. The tool is working OK. It migrates the users, groups, NDG, etc. and the reports are showing no errors.
The problem is with the Enable password of the users. The users in the ACS 4 have the TACACS+ Enable Password configured, but after the migration it appears empty in the ACS 5.
I know that the ASR 1002 has 4 integrated ports but the problem that I am having is that I need two of those ports to emulate a L2 switched port. Is that doable?
If not than I need to purchase the following module below. Is that price really true?
I successfully authenticate through ACS to my Identity Store, but only get dropped into a non-enable prompt: ciscoasa> How can I get an Authenticated user directly into enable mode?
View 3 Replies View RelatedWe were going to create a 2 port, layer 3 etherchannel between a 1002 router and a 3750X layer 3 core switch. We wanted to create bunled link between them but, now we are going to be putting a Riverbed device between the router and core switch. Because of this, would it be best to abandon the idea of creating a layer 3 etherchannel and just have 2 links from the router and core switch and have traffic load balance between the 2 links?The Riverbed will have 2 connections into it from the Core switch and 2 connections into it from the 1002 router. I was hoping to keep the layer 3 etherchannel but, do you think it would be best to create 2, /29 nets and have the router/Riverbed and Core Switch/Riverbed load balance.
View 5 Replies View RelatedWe think we have configured the ACE and Tacacs properly as we auth, but are not able to enter into configuration mode.
ACE-4710 A4(2.3)
There is a requirement to configure tacacs and radius on catalyst 3750X (version 15.0) where two vrf exist.Is therer a solution to configure "tacacs-server,host x.x.x.x vrf yyy" ?? I know it is possible to configure under the "aaa group server radius xxx" the command "ip vrf forwarding yyy".Is there anything else for the tacacs-server and radius-server command?
View 2 Replies View RelatedAll ip's and any identifying numbers have been change to protect.
I have a 6500 series switch that for some reason will not authenticate to the tacacs server. When you try, you get a password authentication failure. However, it will let you use the configured username and secret to log in thru ssh. And the enable secret to get into privileged mode. Tacacs key is correct, btw.we will call the server vlan 300 and the admin vlan 400.the tacacs source interface is in vlan 400 and the tacacs server is in vlan 300.
I can ping the tacacs server via the switch, but when i use the source cmd with the ip address of the admin interface vlan, ping will not work. I changed the tactics source interface to vlan 300 (the server vlan) and authentication with the tacacs server works fine. ip routing is turned on. There are entries for both the server vlan subnet and the ad-min vlan subnet in the routing table. There are only standard access-lists, and none of them are blocking packets from getting to the tacacs server via the admin vlan.
I could just leave the source interface on the int vlan for the servers, but I would like to find out why this isn't working. I have 1 other 6500 switch on a different network that is configured exactly the same (except for ip's, keys, and vlans) and am not having any issues with that LAN. I also have 6 other 3700 switches on the network that Im having an issue with, and none of them are having issues with authentication.
I have a little problem. My customer is using TACP-PLUS ALPHA (F4.0.3.alpha.v9). Well, the same user than have access to another Cisco equipment, with user test1 by sample, can configure anything in the equipment. But in the nexus 5000, el command "show user-account" indicate just the "network-operator" role. Well, I patch this situation with the next commands:
aaa authorization config-commands default group TACSERVER local
aaa authorization commands default group TACSERVER local
Well, when I do a telnet into the nexus, I can shut the interfaces, config and anything. But, when I ingress by console, I can not to configure the interfaces.I understand that the Nexus 5000 the Tacacs configuration is global for VTY and Console (different in the Cisco equipment Routers by sample).
On my 2650 Router it just has only Telnet password.It has no enable mode password set.After reboot it is goes to prompt mode BB.I am unable to go to enable mode .how can i go back to enable mode on this router?
View 13 Replies View RelatedMy engineer onsite can't get into enable mode on his 2911 router. I've seen this before but I can't find out how I fixed it.
He gets an error saying : no password set
Here is the config:
Router#sh run
Building configuration...
Current configuration : 1784 bytes
!
[Code]....
I am working for an Air Force client and am adding a handful of 5548s into their network. My question is how Tacacs+ is configured. My hands are tied in regards to testing in an operational environment so I want to ensure the configs are correct prior to deployment/maintenance window and avoid any remote issues.
I have read the "Cisco Press - TACACS+" config guide and it was somewhat vague in regards to operational deployment.
My basic NX-OS configs are as follows:
- feature tacacs+- tacacs-server key 7 "002A52xxxxxxxxxxxxxxxx8"- tacacs-server host 128.xx.xx.xx timeout 10- tacacs-server host 128.xx.xx.xx timeout 10- tacacs-server directed-request
When I try to set the following command string, aaa authentication login default group tacacs+ local, the NX-OS asks me the input a "server group name". There are no server groups configured. Do I need them? Can I get by without configuring a group name because the client probably will not.
The Cisco IOS devices are configured with normal aaa authentication/authorization parameters. Also, do the VTY ports default to sshv2 and the correct tacacs+ parameters with the "transport input ssh" command (not available)?
the following information before:
Switch: WS-C3750X-48P (Stack with 2 Members)
IOS: 12.2(58)SE2
Lic: IPBASEK9
uptime: rebooted this night
[code]....
Since i added another Member to the Stack, i'm facing the following problem:When i login with my tacacs user account, i will not be asked for the password.The same thing is for the tacacs account of my colleague, after entering the username he is logged in.It seems for me, that the passwords are cached only for this Switch.
I am trying configure tacacs authentication for http in Cisco 2960 with IOS 15.0.1.SE. [code] But the device is not authenticating. It ask the credentials (user and pass) but not authenticates.
View 7 Replies View RelatedI was trying to enable AutoQoS on my router 3925 GE interfaces, but failed to do so !! But I was able to do so on FE interfaces !! I have Security/K9 and Data/K9 license on this router. Or do I still miss out anything ?? I am on IOS 150-1(M4).
I was able to enable AutoQoS on all my Cisco 2811 and 1841 routers !
I have Nexus 7K installations in 2 locations. Both of them have multiple VDCs. In default VDC there are continous tacacs error message though tacacs is not configured. The requests are from various public IPs where thsi VDC is not exposed to Internet at all. What would be t he cause of it?
%AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user root from 195.2.219.2
2012 Dec 11 16:25:28 IDC-FBDTB-AMR2-CN7K-01 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user nagios from 67.78.206.226
- sshd[25797]
2012 Dec 11 16:25:34 IDC-FBDTB-AMR2-CN7K-01 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user nagios from 67.78.206.226
- sshd[25799]
[code]....
I have a pair of OLD Cat6500's running CatOS:
WS-C6509 Software, Version NmpSW: 7.6(16)
Copyright (c) 1995-2005 by Cisco Systems
NMP S/W compiled on Dec 22 2005, 16:37:19
System Bootstrap Version: 7.1(1)
System Boot Image File is 'bootflash:cat6000-sup2k8.7-6-16.bin'
System Configuration register is 0x2
I know these are no longer supported, but I have to ready them for migration. Recently a problem began with these switches. What happens is that when I telnet to them, I cannot authenitcate via TACACS. This works fine for all our other IOS equipment, just not for these 2 switches. The error is:" % Error in authentication" and then I get kicked back to the login prompt.
The odd thing is that when I connect to the switch via the console port, I can authenticate fine with TACACS.
CMS> /c 14
[Code].....
I have purchased these two switches from ebay as a test lab, I plan to connect them up via a gigastack modulecable and enable ip routing on the c3550 and vlans to talk to each other.
I'm very much a procurve person and really need to get into the cisco switching.I will want to trunklacp between the switches - whats the process is setting that up on cisco switches?
the following information before:
Switch: WS-C3750X-48P (Stack with 2 Members)
IOS: 12.2(58)SE2
Lic: IPBASEK9
[Code]....
Since i added another Member to the Stack, i'm facing the following problem: When i login with my tacacs user account, i will not be asked for the password. The same thing is for the tacacs account of my colleague, after entering the username he is logged in. It seems for me, that the passwords are cached only for this Switch.
I need to enable multicast routing on 2960s but the command "ip multicast-routing" isn't available on my release (12.2.(55)).
From which release this command is available?
Have a 3750X running at the moment and has about 30 vlans all connected and just use the ip route global config command to enable routing. Plan is to switch out to the 4503E, with IPBase license. When ever I issue the same command, and do a show run its not there. I get no error when I issue the command either. And yes I have rebooted. Do I need to use RIP or OSPF routing? When I do a show ip route the screen looks the same with all the codes, though gateway of last resort isn't set even though I do have ip route 0.0.0.0 0.0.0.0 a.b.c.d in the config. Or is ip routing just enabled by default?
View 6 Replies View RelatedI have been trying to enable L3 intervlan routing on C2960S Switch with ip routing command and that was the output from the Switch: [code]
View 6 Replies View RelatedI have 2 sub net directly connected to a ASR 1002. This is the configuration
interface GigabitEthernet0/0/0
ip address 193.145.14.114 255.255.255.252
negotiation auto
[Code] ....
The interface gi0/0/0 is connected directly to 193.147.14.113/30 in another router. And the Gi0/1/1 is connected to my internal infra structure. From my router I can ping 193.145.14.113 . So. I configure my PC with default-gateway 193.147.107.3 (ASR).
From my PC
I can ping 193.147.107.3 (gi 0/1/1)
I can ping 193.145.14.114 (gi 0/0/0)
But I can not ping 193.145.14.113 (the other point connected to gi0/0/0)
Why???? It is a IP inside of a sub net directly connected to the ASR. Why the ASR is not doing routing? ip routing is enable.