Contents. Introduction. Prerequisites. Requirements. Components Used

Similar documents
Configuration Example: TACACS Administrator Access to Converged Access Wireless LAN Controllers

ISE 2.3+ TACACS+ IPv6 Configuration Guide for Cisco IOS Based Network Devices with new Policy UI. Secure Access How-to User Series

RADIUS Route Download

Restrictions for Secure Copy Performance Improvement

Configuring Local Authentication and Authorization

Prerequisites for Controlling Switch Access with Terminal Access Controller Access Control System Plus (TACACS+)

Lock and Key: Dynamic Access Lists

Configuring TACACS+ Finding Feature Information. Prerequisites for TACACS+

NBAR2 HTTP-Based Visibility Dashboard

Table of Contents. Cisco WebVPN Capture Tool on the Cisco ASA 5500 Series Adaptive Security Appliance

Configuring Secure Shell (SSH)

Cisco WAAS Software Command Summary

Configuring Secure Shell (SSH)

Examples of Cisco APE Scenarios

Configuring Secure Shell (SSH)

AAA Dead-Server Detection

ISE TACACS+ Configuration Guide for Cisco ASA. Secure Access How-to User Series

Configuring Secure Shell (SSH)

Configuring Secure Shell (SSH)

HTTP 1.1 Web Server and Client

Exclusive Configuration Change Access and Access Session Locking

Configure 802.1x Authentication with PEAP, ISE 2.1 and WLC 8.3

Table of Contents. Cisco Troubleshooting Authentication Proxy

Using the Management Interfaces

ACS Shell Command Authorization Sets on IOS and ASA/PIX/FWSM Configuration Example

Cisco Wide Area Application Services Upgrade Guide

Configuring Secure Shell (SSH)

Symbols INDEX > 12-14

Configuring Authentication, Authorization, and Accounting

Configuring Secure Shell (SSH)

Configuring Management Access

PT Activity: Configure AAA Authentication on Cisco Routers

Use NAT to Hide the Real IP Address of CTC to Establish a Session with ONS 15454

Configuring Authorization

Exclusive Configuration Change Access and Access Session Locking

User and System Administration

Getting Started with CMS

IEEE 802.1X with ACL Assignments

Configuring Layer 3 Virtualization

Configuring Authorization

HTTP 1.1 Web Server and Client

Managing GSS User Accounts Through a TACACS+ Server

Install or Change Product ID License on a C Series Codec or Profile Endpoint

Managing GSS User Accounts Through a TACACS+ Server

Console Port, Telnet, and SSH Handling

Encrypted Vendor-Specific Attributes

Configure ASR9k TACACS with Cisco Secure ACS 5.x Server

Upgrade VMware ESXi from Version 5.5 to 6.x.

FireAMP Connector for Mac Diagnostic Data Collection

HTTP 1.1 Web Server and Client

Managing GSS User Accounts Through a TACACS+ Server

Web Authentication Proxy on a Wireless LAN Controller Configuration Example

This chapter explains how to troubleshoot common problems and covers the following sections:

Web Services Management Agent Configuration Guide, Cisco IOS XE Release 3S

Configure SIP Registrations to Authenticate and Authorize on a Per-user Basis (MRA) for CUCM 11.5

CLI COMMAND SUMMARY BY MODE

Send document comments to

TACACS+ on an Aironet Access Point for Login Authentication Configuration Example

Telnet, Console and AUX Port Passwords on Cisco Routers Configuration Example

Configuring the Cisco NAM 2220 Appliance

Configuring TACACS+ Authentication for VPDNs

Getting Started Using Cisco License Manager

Secure Shell Configuration Guide, Cisco IOS XE Everest 16.6

IEEE 802.1X Open Authentication

Configuring Call Home for the Cisco CSR 1000v

Configure a Cisco Router with TACACS+ Authentication

Configuring Secure Shell

Configuring Accounting

Configuring Accounting

Logging In and Setting Up

AAA Server Groups. Finding Feature Information. Information About AAA Server Groups. AAA Server Groups

RADIUS Server Load Balancing

AAA and the Local Database

NETCONF Protocol. Restrictions for the NETCONF Protocol. Information About the NETCONF Protocol

Configuring Secure Socket Layer HTTP

AAA Authorization and Authentication Cache

Configuring Security for the ML-Series Card

TACACS Device Access Control with Cisco Active Network Abstraction

This document describes how the modus operandi configure directories service via Cisco Unified Communications Domain Manager 8.X (CUCDM).

Nested Class Map Support for Zone-Based Policy Firewall

The ISG RADIUS Proxy Support for Mobile Users Hotspot Roaming and Accounting Start Filtering feature

Identity Services Engine Guest Portal Local Web Authentication Configuration Example

Data Center Network Manager (DCNM) with SFTP Switch Configuration Backup

TACACS+ Configuration Guide, Cisco IOS XE Release 3S

Role-Based CLI Access

User and System Administration

CMX Connected Experiences- Social, SMS and Custom Portal Registration Configuration Example

Getting Started. Contents

Firewall Authentication Proxy for FTP and Telnet Sessions

Firepower extensible Operating System (FXOS) 2.2: Chassis Authentication and Authorization for remote management with ACS using RADIUS

Numerics. Index 1. SSH See SSH. connection inactivity time 2-3 console, for configuring authorized IP managers 11-5 DES 6-3, 7-3

tacacs Release alpha May 16, 2018

SSH Algorithms for Common Criteria Certification

Exam Actual. Higher Quality. Better Service! QUESTION & ANSWER

Manage Your Inventory

Configuring Security with Passwords, Privileges, and Logins

RADIUS Logical Line ID

Integration of FireSIGHT System with ISE for RADIUS User Authentication

Configuration of Cisco ACS 5.2 Radius authentication with comware v7 switches 2

QoS Packet-Matching Statistics Configuration

Transcription:

Contents Introduction Prerequisites Requirements Components Used Background Information Example TACACs setup Example HTTPS configuration Commands run by CM on WAAS Express/APPNAV-XE via HTTP Config Mode CLIs EXEC Mode CLIs WAASX - Status WAASX - Configuration WAASX - Statistics Registration AppNav-XE Troubleshoot On WAAS Central Manager CLI Test HTTPS access from browser Debug on WAAS Express router Introduction This document provides details of configuring the Wide Area Application (WAAS) Express/APPNAV-XE using Terminal Access Controller Access Control Systems (TACACS) and Authentication, Authorization and Accounting (AAA) command authorization. Prerequisites Requirements Cisco recommends that you have knowledge of these topics: Cisco WAAS AAA authorization TACACS Components Used The information in this document is based on these software and hardware versions: WAAS 6.1.1x 2900 Routers IOS Versoin 15.2(4)M3

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command. Background Information The WAAS Central Manager requires Secure Shell (SSH) and Secure HTTPS in order to access WAAS Express and APPNAV - XE routers. Secure Shell (SSH) is used for initial configuration/registratoin. HTTPS is used for ongoing configuration and monitoring. Often the combination of HTTPS and AAA configuration on the device prevents the central manager from communicating with these devices correctly. Example TACACs setup Example HTTPS configuration Commands run by CM on WAAS Express/APPNAV-XE via HTTP This is a list of the commands that the central manager needs in order to be able to run on the remote device. Config Mode CLIs

EXEC Mode CLIs WAASX - Status WAASX - Configuration WAASX - Statistics

Registration AppNav-XE Troubleshoot Incorrect AAA or HTTP configuration on the end device can cause failures in registration and status update failures. Note: The simplest way to test if there is an authorization issue is to setup a local WAAS user, local AAA authentication and ip http authentication local. If this test configuration works it means you likely have an issue with your remote user command authorization. On WAAS Central Manager CLI Confirm that you can ssh from the CM CLI to the remote device. enable cms debug on CM and review the cms.log and waasx-audit.log files during registration, pushing out config and statistic gathering.

# debug cms waasx-regis # debug cms router-config # debug cms stats (config)# logging disk priority 7 # cd errorlog # type-tail cms.log follow # type-tail waasx-audit.log follow Example log entries when the CM fails to push commands to WAAS-Express or AppNav-XE. 05/27/2016 00:14:03.760 [I] cdm(rtrsync-40) Configuration commands failed on the device CeConfig_2875943/USNY25W39-R02. Not Taking backup of complete device configuration. 05/27/2016 00:14:03.774 [W] cdm(rtrsync-64) 700001 Failed configuration commands are... 05/27/2016 00:14:03.774 [W] cdm(rtrsync-64) 700001 class-map type appnav match-any HTTPS CLI:class-map type appnav match-any HTTPS Status:8 Output:Command authorization failed. Test HTTPS access from browser You can log in to the HTTP interface. https://<ip_address>/level/15/exec/-/

Then type your commands into the section. Example of a working show invetory command Example of a failing show Inventory command

Debug on WAAS Express router #debug aaa authorization Command running successfully Jul 5 07:09:19.161: AAA/AUTHOR/TAC+: (2935402750): user=waasx Jul 5 07:09:19.161: AAA/AUTHOR/TAC+: (2935402750): send AV service=shell Jul 5 07:09:19.161: AAA/AUTHOR/TAC+: (2935402750): send AV cmd=show Jul 5 07:09:19.161: AAA/AUTHOR/TAC+: (2935402750): send AV cmd-arg=vrf Jul 5 07:09:19.161: AAA/AUTHOR/TAC+: (2935402750): send AV cmd-arg= Jul 5 07:09:19.365: AAA/AUTHOR (2935402750): Post authorization status = PASS_ADD Authorization failure Jul 5 07:08:32.485: AAA/AUTHOR/TAC+: (819547031): user=waasx Jul 5 07:08:32.485: AAA/AUTHOR/TAC+: (819547031): send AV service=shell Jul 5 07:08:32.485: AAA/AUTHOR/TAC+: (819547031): send AV cmd=show Jul 5 07:08:32.485: AAA/AUTHOR/TAC+: (819547031): send AV cmd-arg=inventory Jul 5 07:08:32.485: AAA/AUTHOR/TAC+: (819547031): send AV cmd-arg= Jul 5 07:08:32.685: AAA/AUTHOR (819547031): Post authorization status = FAIL

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback