10-04-2013 01:59 PM - edited 03-10-2019 08:58 PM
Good morning everyone, I'm Eric Jones and I'm a CISCO equipment user.
I have some questions on the 1121 AAA server.
We have 2, one is configured to work with our Active Directory.
It access the AD data and will pull the username from the AD group; however, when you attempt to enter the AD group users password it fails to login into the IOS device chosen.
What it wants is the enable password created for the local admin account on the IOS device.
The Shell profiles and Command Sets have been created.
The binding has been completed.
The IOS device has its configuration completed.
Part II of this issue.
When I first began configuring the device there were now Default Device Admin or Default Network Admin Access Policies configured.
I had to create these myself.
After that surprise everything went smoothly as mentioned above with the Shell Profiles and Command Sets.
Has anyone seen this issue before.
Part III of this issue.
When entering the Monitoring and Reports section and enabling Support Bundle I get an error when trying to start it.
I get a red warning banner at the top stating the server isn't running. Well Clearly it's running but it doesn't think so.
Also when trying to view the reports to see any accounting, authorization, authentication information in the logs there's nothing there.
I have configured the logs to write to a Server but nothing ever gets written.
And since nothing is being done locally on the ACS I can't tell why it's not writting to the server.
Any thoughts?
ej
10-04-2013 02:27 PM
1.] Could you please paste the IOS configuration here? I need to see how you have configured your enable authentication on the IOS device. If it is pointed towards ACS then you should type the same enable passowrd the one you used for user login:
If you've it pointed towards local database then you should have a enable password defined on the IOS like this
enable secret [password]
2.] Default Device Admin or Default Network Admin Access Policies should be predefined there. You should not configure this. Were you able to see access-policies before? If you couldn't them all of sudden then this may be an issue of data corruption but we yet need to be confirmed.
3.] Is your view database running fine? Can you get the output of show application status acs from the ACS CLI.
What do you see in log collector settings on the ACS?
Do we have both these boxes in distribution enviornment or they are stand alone in different region?
~BR
Jatin Katyal
**Do rate helpful posts**
10-04-2013 03:24 PM
I don't have access to the box right now so I'll have to post that later.
As for the next 2 & 3.
2.Those predefined policies were not configured, I had to build those myself. I though this was odd because when I took the ACS course they were already there. I'm using my lab notes to help configure the box.
3. When I access the cli and run show application status I get information back showing that all the listed processes/services are running.
The log collector is pointing to the local device and I have also configured it to point to server with NFS mount for log collection in case the box becomes inaccessible.
ej
10-05-2013 05:34 PM
Here is the config minus some sensitive password information and ACL lists.
!
! Last configuration change at 23:25:58 UTC Wed Oct 2 2013 by a1236ej
! NVRAM config last updated at 23:19:01 UTC Wed Oct 2 2013 by a1236ej
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 209-G2
!
boot-start-marker
boot-end-marker
!
aaa new-model
!
!
aaa group server radius 10.2.9.2
!
aaa group server radius yacs001
!
aaa authentication login default group tacacs+ enable line
aaa authentication login VTY group tacacs+
aaa authentication login CONSOLE group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group radius
aaa authorization console
aaa authorization config-commands
aaa authorization exec CONSOLE group tacacs+ local
aaa authorization exec VTY group tacacs+
aaa authorization commands 1 VTY group tacacs+
aaa authorization commands 15 VTY group tacacs+
aaa authorization network default group radius
aaa authorization network auth-list group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 1
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group tacacs+
aaa accounting exec VTY start-stop group tacacs+
aaa accounting exec CONSOLE start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 1 CONSOLE start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting commands 15 CONSOLE start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
!
!
aaa session-id common
switch 1 provision ws-c3750g-24ts
system mtu routing 1500
vtp mode transparent
ip domain-name srf.local
!
!
!
!
crypto pki trustpoint TP-self-signed-3353342592
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3353342592
revocation-check none
rsakeypair TP-self-signed-3353342592
!
!
crypto pki certificate chain TP-self-signed-3353342592
certificate self-signed 01
30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33333533 33343235 3932301E 170D3133 31303032 30333337
34395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33353333
34323539 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AAAF F6C627BB 1F356449 51BDCAE6 B62B2A65 5EE8AB72 D8ECAF86 A94A483A
5FF35D71 C9F7B38F 19937159 1D88B081 A071F7B2 9532C6D6 9FC1A9BB A29BE067
E6B1A6A6 0053A83F E656DA6E DDD9E095 15A6B410 59CD33B4 4D8F1652 82665AD1
42B43017 4B729643 77FE0268 442CD37E 7864DBC0 9967D52A DE507B86 194D6070
1DC30203 010001A3 70306E30 0F060355 1D130101 FF040530 030101FF 301B0603
551D1104 14301282 10323039 2D47322E 7372662E 6C6F6361 6C301F06 03551D23
04183016 8014F83D D09FABC5 1025DA4A E491E361 137A674A 80B2301D 0603551D
0E041604 14F83DD0 9FABC510 25DA4AE4 91E36113 7A674A80 B2300D06 092A8648
86F70D01 01040500 03818100 85888110 C3DA3837 9C44725B 6C99EB91 25A7F56A
4B638ECD 09EDEE09 220B1671 004660C6 93164922 DA59B6AC EC3FFC9F 01887284
62734F47 5BE676EE 536199EB 21DD089F C723A428 5A15F09C 46A9657E 1E5D089B
437A29D4 A6514E57 2DA17922 1A0B2C44 3A255718 8A7815EC DF969EB9 4148C210
9B1E8287 9EE9C049 CBB00F36
quit
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree backbonefast
!
vlan internal allocation policy ascending
!
vlan 10,209
!
vlan 999
shutdown
!
ip ssh version 2
!
!
!
interface Loopback5
no ip address
!
interface GigabitEthernet1/0/1
switchport access vlan 209
switchport mode access
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
!
interface GigabitEthernet1/0/2
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/3
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/4
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/5
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/6
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/7
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/8
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/9
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/10
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/11
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/12
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/13
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/14
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/15
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/16
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/17
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/18
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/19
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/20
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/21
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/22
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/23
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/24
switchport access vlan 999
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/25
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,209
switchport mode trunk
!
interface GigabitEthernet1/0/26
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,209
switchport mode trunk
switchport port-security mac-address sticky
shutdown
!
interface GigabitEthernet1/0/27
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,209
switchport mode trunk
switchport port-security mac-address sticky
shutdown
!
interface GigabitEthernet1/0/28
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,209
switchport mode trunk
switchport port-security mac-address sticky
shutdown
!
interface Vlan1
no ip address
!
interface Vlan10
ip classless
ip http server
ip http secure-server
!
ip tacacs source-interface GigabitEthernet1/0/25
!
ip radius source-interface Vlan10 vrf default
ip sla enable reaction-alerts
logging 10.7.4.33
logging 10.30.0.34
access-list 10 permit 10.30.0.34 log
access-list 10 permit 10.30.0.151 log
access-list 10 permit 10.230.0.50 log
access-list 10 deny any log
!
snmp-server group rwsrf v3 auth read rwview write rwview
snmp-server view rwview internet included
snmp-server community rosrf RO 10
snmp-server system-shutdown
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps transceiver all
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps cluster
snmp-server enable traps fru-ctrl
snmp-server enable traps entity
snmp-server enable traps cpu threshold
snmp-server enable traps power-ethernet police
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps stackwise
snmp-server enable traps license
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps hsrp
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps syslog
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable
tacacs-server host 10.7.4.23
tacacs-server host 10.7.4.22
tacacs-server directed-request
tacacs-server key 7 09754F021046461C020731
radius-server host 10.7.4.23 auth-port 1645 acct-port 1646
radius-server key 7 0317530A140A255F4B0A0B0003
!
banner login
!xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!You are accessing a U.S. Government (USG) Information System
!(IS) that is provided for USG-authorized use only.
!By using this IS (which includes any device attached
!to this IS), you consent to the following conditions:
!-The USG routinely intercepts and monitors communications on
!this IS for purposes including, but not limited to, penetration
!testing, COMSEC monitoring, network operations and defense,
!personnel misconduct (PM), law enforcement (LE), and
!counterintelligence (CI) investigations. At any time, the USG
!may inspect and seize data stored on this IS.
!-Communications using, or data stored on,
!this IS are not private, are subject to routine monitoring,
!interception, and search, and may be disclosed or used for
!any USG-authorized purpose.
!-This IS includes security measures
!(e.g., authentication and access controls) to protect USG
!interests--not for your personal benefit or privacy.
!-Notwithstanding the above, using this IS does not
!constitute consent to PM, LE or CI investigative searching or
!monitoring of the content of privileged communications, or work
!product, related to personal representation or services
!by attorneys, psychotherapists, or clergy, and their assistants.
!Such communications and work product are private and confidential.
!See User Agreement for details.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx!
banner motd
Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!This is a Department of Defense computer system.
!This computer system,including all relxted equipment, networks
!and network devices (specifically including internet access),
!are xrovided only for authorized U.S. Government use.
!DOD computer system may be monitored for all lawful purposes,
!including to ensure that their use is authorized, for management
!of the system, to facilitate protection against unauthorized
!access,and to verify security proctdues, survivability and
!operational security. Monitoring includes active attacks by
!authorized DOD entities to test or verify the security of
!this system. During monitoring, information may be examined,
!recorded, copied and used for authorized purposes. All information,
!including personal information placed on or send over this
!system may be monitored.Use of this DOD computer system,
!authorized or unauthorized, constitutes consent to monitoring
!of this system. Unauthorized use may subject you to criminal
!prosecution. Evidence of unauthohized use collected during
!monitoring may be Used for administrative, criminal or other
!adverve action. Use of this system constitutes consent to
!monitoring for these purposes.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
line con 0
exec-timeout 9 0
logging synchronous
line vty 0 4
password 7 03165E06090132
logging synchronous
transport input ssh
line vty 5 15
transport input ssh
!
ntp authentication-key 10 md5 025132403B535C365D1F47512B0E152A 7
ntp authenticate
ntp trusted-key 10
ntp clock-period 36029083
ntp server 10.7.60.20
ntp server 10.30.0.13
end
10-08-2013 02:48 AM
As per the above configuration, enable authentication is set of taccas first and then local enable password in case tacacs goes down. Since the tacacs is integrated with AD so you should be able to login to device using the same login user password as enable password.
Username: Eric
Password: Jones
>enable
Password: Jones ......>>>> You need to type the same password as above to land into privelege exec mode.
~BR
Jatin Katyal
**Do rate helpful posts**
10-10-2013 08:35 PM
Hello, I figured out what went wrong for some of my issues.
1. I had the IP addresses in the wrong format. I had to change them to 10.#-#.*.* or 10.0.#-#.#-# or a variation.
Using 10.*.*.* was causing issues so nothing worked properly.
2. The other issue was resolved by bringing up and conifguring the 2nd ACS which was in better shape. The default items were already there so modifying the Default Device Admin profile was easy.
I think the first ACS is causing a problem so I'll be re-imaging that one and starting from scratch now that I have a working model.
ej
10-11-2013 02:13 AM
Hi Eric,
Thanks for sharing and keep this thread updated.
~BR
Jatin Katyal
**Do rate helpful posts**
01-21-2014 11:59 AM
Rebuilt the problme ACS and applied all the updates.
Then prompted it back to primary.
ej
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide