Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1264
Views
4
Helpful
7
Replies

CSACS 1121 V5.4.0.46.4

Eric R. Jones
Level 4
Level 4

‎10-04-2013 01:59 PM - edited ‎03-10-2019 08:58 PM

Good morning everyone, I'm Eric Jones and I'm a CISCO equipment user.

I have some questions on the 1121 AAA server.

We have 2, one is configured to work with our Active Directory.

It access the AD data and will pull the username from the AD group; however, when you attempt to enter the AD group users password it fails to login into the IOS device chosen.

What it wants is the enable password created for the local admin account on the IOS device.

The Shell profiles and Command Sets have been created.

The binding has been completed.

The IOS device has its configuration completed.

Part II of this issue.

When I first began configuring the device there were now Default Device Admin or Default Network Admin Access Policies configured.

I had to create these myself.

After that surprise everything went smoothly as mentioned above with the Shell Profiles and Command Sets.

Has anyone seen this issue before.

Part III of this issue.

When entering the Monitoring and Reports section and enabling Support Bundle I get an error when trying to start it.

I get a red warning banner at the top stating the server isn't running. Well Clearly it's running but it doesn't think so.

Also when trying to view the reports to see any accounting, authorization, authentication information in the logs there's nothing there.

I have configured the logs to write to a Server but nothing ever gets written.

And since nothing is being done locally on the ACS I can't tell why it's not writting to the server.

Any thoughts?

ej

Labels:
0 Helpful
7 Replies 7

Jatin Katyal
Cisco Employee
Cisco Employee

‎10-04-2013 02:27 PM

1.] Could you please paste the IOS configuration here? I need to see how you have configured your enable authentication on the IOS device. If it is pointed towards ACS then you should type the same enable passowrd the one you used for user login:

If you've it pointed towards local database then you should have a enable password defined on the IOS like this

enable secret [password]

2.] Default Device Admin or Default Network Admin Access Policies should be predefined there. You should not configure this. Were you able to see access-policies before? If you couldn't them all of sudden then this may be an issue of data corruption but we yet need to be confirmed.

3.] Is your view database running fine? Can you get the output of show application status acs from the ACS CLI.

What do you see in log collector settings on the ACS?

Do we have both these boxes in distribution enviornment or they are stand alone in different region?

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Eric R. Jones
Level 4
Level 4
In response to Jatin Katyal

‎10-04-2013 03:24 PM

I don't have access to the box right now so I'll have to post that later.

As for the next 2 & 3.

2.Those predefined policies were not configured, I had to build those myself. I though this was odd because when I took the ACS course they were already there. I'm using my lab notes to help configure the box.

3. When I access the cli and run show application status I get information back showing that all the listed processes/services are running.

The log collector is pointing to the local device and I have also configured it to point to server with NFS mount for log collection in case the box becomes inaccessible.

ej

0 Helpful

Eric R. Jones
Level 4
Level 4
In response to Jatin Katyal

‎10-05-2013 05:34 PM

Here is the config minus some sensitive password information and ACL lists.

!

! Last configuration change at 23:25:58 UTC Wed Oct 2 2013 by a1236ej

! NVRAM config last updated at 23:19:01 UTC Wed Oct 2 2013 by a1236ej

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname 209-G2

!

boot-start-marker

boot-end-marker

!

aaa new-model

!

!

aaa group server radius 10.2.9.2

!

aaa group server radius yacs001

!

aaa authentication login default group tacacs+ enable line

aaa authentication login VTY group tacacs+

aaa authentication login CONSOLE group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authentication dot1x default group radius

aaa authorization console

aaa authorization config-commands

aaa authorization exec CONSOLE group tacacs+ local

aaa authorization exec VTY group tacacs+

aaa authorization commands 1 VTY group tacacs+

aaa authorization commands 15 VTY group tacacs+

aaa authorization network default group radius

aaa authorization network auth-list group radius

aaa authorization auth-proxy default group radius

aaa accounting update periodic 1

aaa accounting auth-proxy default start-stop group radius

aaa accounting dot1x default start-stop group radius

aaa accounting exec default start-stop group tacacs+

aaa accounting exec VTY start-stop group tacacs+

aaa accounting exec CONSOLE start-stop group tacacs+

aaa accounting commands 1 VTY start-stop group tacacs+

aaa accounting commands 1 CONSOLE start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting commands 15 VTY start-stop group tacacs+

aaa accounting commands 15 CONSOLE start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

!

!

!

aaa session-id common

switch 1 provision ws-c3750g-24ts

system mtu routing 1500

vtp mode transparent

ip domain-name srf.local

!

!

!

!

crypto pki trustpoint TP-self-signed-3353342592

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3353342592

revocation-check none

rsakeypair TP-self-signed-3353342592

!

!

crypto pki certificate chain TP-self-signed-3353342592

certificate self-signed 01

30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33333533 33343235 3932301E 170D3133 31303032 30333337

34395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33353333

34323539 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100AAAF F6C627BB 1F356449 51BDCAE6 B62B2A65 5EE8AB72 D8ECAF86 A94A483A

5FF35D71 C9F7B38F 19937159 1D88B081 A071F7B2 9532C6D6 9FC1A9BB A29BE067

E6B1A6A6 0053A83F E656DA6E DDD9E095 15A6B410 59CD33B4 4D8F1652 82665AD1

42B43017 4B729643 77FE0268 442CD37E 7864DBC0 9967D52A DE507B86 194D6070

1DC30203 010001A3 70306E30 0F060355 1D130101 FF040530 030101FF 301B0603

551D1104 14301282 10323039 2D47322E 7372662E 6C6F6361 6C301F06 03551D23

04183016 8014F83D D09FABC5 1025DA4A E491E361 137A674A 80B2301D 0603551D

0E041604 14F83DD0 9FABC510 25DA4AE4 91E36113 7A674A80 B2300D06 092A8648

86F70D01 01040500 03818100 85888110 C3DA3837 9C44725B 6C99EB91 25A7F56A

4B638ECD 09EDEE09 220B1671 004660C6 93164922 DA59B6AC EC3FFC9F 01887284

62734F47 5BE676EE 536199EB 21DD089F C723A428 5A15F09C 46A9657E 1E5D089B

437A29D4 A6514E57 2DA17922 1A0B2C44 3A255718 8A7815EC DF969EB9 4148C210

9B1E8287 9EE9C049 CBB00F36

quit

!

!

!

!

spanning-tree mode rapid-pvst

spanning-tree extend system-id

spanning-tree backbonefast

!

vlan internal allocation policy ascending

!

vlan 10,209

!

vlan 999

shutdown

!

ip ssh version 2

!

!

!

interface Loopback5

no ip address

!

interface GigabitEthernet1/0/1

switchport access vlan 209

switchport mode access

switchport port-security

switchport port-security mac-address sticky

spanning-tree portfast

!

interface GigabitEthernet1/0/2

switchport access vlan 999

switchport mode access

switchport port-security

switchport port-security mac-address sticky

shutdown

spanning-tree portfast

!

interface GigabitEthernet1/0/3

switchport access vlan 999

switchport mode access

switchport port-security

switchport port-security mac-address sticky

shutdown

spanning-tree portfast

!

interface GigabitEthernet1/0/4

switchport access vlan 999

switchport mode access

switchport port-security

switchport port-security mac-address sticky

shutdown

spanning-tree portfast

!

interface GigabitEthernet1/0/5

switchport access vlan 999

switchport mode access

switchport port-security

switchport port-security mac-address sticky

shutdown

spanning-tree portfast

!

interface GigabitEthernet1/0/6

switchport access vlan 999

switchport mode access

switchport port-security

switchport port-security mac-address sticky

shutdown

spanning-tree portfast

!

interface GigabitEthernet1/0/7

switchport access vlan 999

switchport mode access

switchport port-security

switchport port-security mac-address sticky

shutdown

spanning-tree portfast

!

interface GigabitEthernet1/0/8

switchport access vlan 999

switchport mode access

switchport port-security

switchport port-security mac-address sticky

shutdown

spanning-tree portfast

!

interface GigabitEthernet1/0/9

switchport access vlan 999

switchport mode access

switchport port-security

switchport port-security mac-address sticky

shutdown

spanning-tree portfast

!

interface GigabitEthernet1/0/10

switchport access vlan 999

switchport mode access

switchport port-security

switchport port-security mac-address sticky

shutdown

spanning-tree portfast

!

interface GigabitEthernet1/0/11

switchport access vlan 999

switchport mode access

switchport port-security

switchport port-security mac-address sticky

shutdown

spanning-tree portfast

!

interface GigabitEthernet1/0/12

switchport access vlan 999

switchport mode access

switchport port-security

switchport port-security mac-address sticky

shutdown

spanning-tree portfast

!

interface GigabitEthernet1/0/13

switchport access vlan 999

switchport mode access

switchport port-security

switchport port-security mac-address sticky

shutdown

spanning-tree portfast

!

interface GigabitEthernet1/0/14

switchport access vlan 999

switchport mode access

switchport port-security

switchport port-security mac-address sticky

shutdown

spanning-tree portfast

!

interface GigabitEthernet1/0/15

switchport access vlan 999

switchport mode access

switchport port-security

switchport port-security mac-address sticky

shutdown

spanning-tree portfast

!

interface GigabitEthernet1/0/16

switchport access vlan 999

switchport mode access

switchport port-security

switchport port-security mac-address sticky

shutdown

spanning-tree portfast

!

interface GigabitEthernet1/0/17

switchport access vlan 999

switchport mode access

switchport port-security

switchport port-security mac-address sticky

shutdown

spanning-tree portfast

!

interface GigabitEthernet1/0/18

switchport access vlan 999

switchport mode access

switchport port-security

switchport port-security mac-address sticky

shutdown

spanning-tree portfast

!

interface GigabitEthernet1/0/19

switchport access vlan 999

switchport mode access

switchport port-security

switchport port-security mac-address sticky

shutdown

spanning-tree portfast

!

interface GigabitEthernet1/0/20

switchport access vlan 999

switchport mode access

switchport port-security

switchport port-security mac-address sticky

shutdown

spanning-tree portfast

!

interface GigabitEthernet1/0/21

switchport access vlan 999

switchport mode access

switchport port-security

switchport port-security mac-address sticky

shutdown

spanning-tree portfast

!

interface GigabitEthernet1/0/22

switchport access vlan 999

switchport mode access

switchport port-security

switchport port-security mac-address sticky

shutdown

spanning-tree portfast

!

interface GigabitEthernet1/0/23

switchport access vlan 999

switchport mode access

switchport port-security

switchport port-security mac-address sticky

shutdown

spanning-tree portfast

!

interface GigabitEthernet1/0/24

switchport access vlan 999

switchport mode access

switchport port-security

switchport port-security mac-address sticky

shutdown

spanning-tree portfast

!

interface GigabitEthernet1/0/25

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10,209

switchport mode trunk

!

interface GigabitEthernet1/0/26

switchport access vlan 999

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10,209

switchport mode trunk

switchport port-security mac-address sticky

shutdown

!

interface GigabitEthernet1/0/27

switchport access vlan 999

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10,209

switchport mode trunk

switchport port-security mac-address sticky

shutdown

!

interface GigabitEthernet1/0/28

switchport access vlan 999

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10,209

switchport mode trunk

switchport port-security mac-address sticky

shutdown

!

interface Vlan1

no ip address

!

interface Vlan10

ip classless

ip http server

ip http secure-server

!

ip tacacs source-interface GigabitEthernet1/0/25

!

ip radius source-interface Vlan10 vrf default

ip sla enable reaction-alerts

logging 10.7.4.33

logging 10.30.0.34

access-list 10 permit 10.30.0.34 log

access-list 10 permit 10.30.0.151 log

access-list 10 permit 10.230.0.50 log

access-list 10 deny   any log

!

snmp-server group rwsrf v3 auth read rwview write rwview

snmp-server view rwview internet included

snmp-server community rosrf RO 10

snmp-server system-shutdown

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps transceiver all

snmp-server enable traps tty

snmp-server enable traps eigrp

snmp-server enable traps cluster

snmp-server enable traps fru-ctrl

snmp-server enable traps entity

snmp-server enable traps cpu threshold

snmp-server enable traps power-ethernet police

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps port-security

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps stackwise

snmp-server enable traps license

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps hsrp

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps syslog

snmp-server enable traps mac-notification change move threshold

snmp-server enable traps vlan-membership

snmp-server enable traps errdisable

tacacs-server host 10.7.4.23

tacacs-server host 10.7.4.22

tacacs-server directed-request

tacacs-server key 7 09754F021046461C020731

radius-server host 10.7.4.23 auth-port 1645 acct-port 1646

radius-server key 7 0317530A140A255F4B0A0B0003

!

banner login

!xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

!You are accessing a U.S. Government (USG) Information System

!(IS) that is provided for USG-authorized use only.

!By using this IS (which includes any device attached

!to this IS), you consent to the following conditions:

!-The USG routinely intercepts and monitors communications on

!this IS for purposes including, but not limited to, penetration

!testing, COMSEC monitoring, network operations and defense,

!personnel misconduct (PM), law enforcement (LE), and

!counterintelligence (CI) investigations. At any time, the USG

!may inspect and seize data stored on this IS.

!-Communications using, or data stored on,

!this IS are not private, are subject to routine monitoring,

!interception, and search, and may be disclosed or used for

!any USG-authorized purpose.

!-This IS includes security measures

!(e.g., authentication and access controls) to protect USG

!interests--not for your personal benefit or privacy.

!-Notwithstanding the above, using this IS does not

!constitute consent to PM, LE or CI investigative searching or

!monitoring of the content of privileged communications, or work

!product, related to personal representation or services

!by attorneys, psychotherapists, or clergy, and their assistants.

!Such communications and work product are private and confidential.

!See User Agreement for details.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx!

banner motd

Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

!This is a Department of Defense computer system.

!This computer system,including all relxted equipment, networks

!and network devices (specifically including internet access),

!are xrovided only for authorized U.S. Government use.

!DOD computer system may be monitored for all lawful purposes,

!including to ensure that their use is authorized, for management

!of the system, to facilitate protection against unauthorized

!access,and to verify security proctdues, survivability and

!operational security. Monitoring includes active attacks by

!authorized DOD entities to test or verify the security of

!this system. During monitoring, information may be examined,

!recorded, copied and used for authorized purposes. All information,

!including personal information placed on or send over this

!system may be monitored.Use of this DOD computer system,

!authorized or unauthorized, constitutes consent to monitoring

!of this system. Unauthorized use may subject you to criminal

!prosecution. Evidence of unauthohized use collected during

!monitoring may be Used for administrative, criminal or other

!adverve action. Use of this system constitutes consent to

!monitoring for these purposes.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

!

line con 0

exec-timeout 9 0

logging synchronous

line vty 0 4

password 7 03165E06090132

logging synchronous

transport input ssh

line vty 5 15

transport input ssh

!

ntp authentication-key 10 md5 025132403B535C365D1F47512B0E152A 7

ntp authenticate

ntp trusted-key 10

ntp clock-period 36029083

ntp server 10.7.60.20

ntp server 10.30.0.13

end

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Eric R. Jones

‎10-08-2013 02:48 AM

As per the above configuration, enable authentication is set of taccas first and then local enable password in case tacacs goes down. Since the tacacs is integrated with AD so you should be able to login to device using the same login user password as enable password.

Username: Eric

Password: Jones

>enable

Password: Jones ......>>>> You need to type the same password as above to land into privelege exec mode.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Eric R. Jones
Level 4
Level 4
In response to Jatin Katyal

‎10-10-2013 08:35 PM

Hello, I figured out what went wrong for some of my issues.

1. I had the IP addresses in the wrong format. I had to change them to 10.#-#.*.* or 10.0.#-#.#-# or a variation.

Using 10.*.*.* was causing issues so nothing worked properly.

2. The other issue was resolved by bringing up and conifguring the 2nd ACS which was in better shape. The default items were already there so modifying the Default Device Admin profile was easy.

I think the first ACS is causing a problem so I'll be re-imaging that one and starting from scratch now that I have a working model.

ej

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Eric R. Jones

‎10-11-2013 02:13 AM

Hi Eric,

Thanks for sharing and keep this thread updated.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Eric R. Jones
Level 4
Level 4

‎01-21-2014 11:59 AM

Rebuilt the problme ACS and applied all the updates.

Then prompted it back to primary.

ej

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents