Andrew,
1. Sounds like an English class. Don't understand ;). 2. Most likely you won't have to fully test CTA in the lab but doing it in practice is of great help. You can do it from IE if you select the proper root trust store. It is always good to know multiple methods. ACS certificate is needed for posture validation credentials. As with L2 and L3 NAC there is no user credential requirements 3. aaa authentication enable default ..., would probably have helped with your problem. You may have forgotten to authorize exec before you got it to work after the reload. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Andrew Wurster Sent: Saturday, February 26, 2011 12:08 PM To: OSL Security Subject: [OSL | CCIE_Security] IOS AAA gripes and lessons learned hey guys - i figured I'd share a few stumbling points I ran into yesterday during my AAA lab practices. never a dull moment! andrew #1 - adding a "verb" command followed by an "adjective" always seems to auto-fill the parent command with just the "verb". I couldn't find anything on it, except by reading between the lines in the lab's solution guide. and THEN i came across this little gem inside the IOS Securing User Services guide: privilege exec level 7 configure terminal ! ! the privilege exec level 7 configure command below is entered automatically ! when you enter the privilege exec level 7 configure terminal command above, do ! not enter it again ! privilege exec level 7 configure so it would seem that . i think the ipexpert instructors' mantra of test your solutions thoroughly really pays off in situations like this. for instance, the first go round, i had gotten the "show" commands right, but the "configure" ones i added in with different privilege levels (gave "configure" level 10 and "configure terminal" level 5). #2 - is it required to do all those complicated steps to get the Cisco Trust Agent to load and run properly? i tried to follow along with the VOD on that task since i have zero experience with CTA, but i was having lots of problems getting the program to even open properly :/ . 1. disable wired auto-config service in services - would we need to play with services in the lab? 2. import ACS cert via CLI - can't we just use IE to install the cert into the root store? does the client require a server certificate to launch? 3. connect to client via VNC - i'm pretty sure i understand why we need this - but i can't remember if there is VNC in the lab or not? #3 - after configuring AAA local command authorization, i was unable to authorize use of enable mode for a RADIUS-authed user. i don't know if this was a bug, or an order of operations issue, but of course after a reload everything worked as expected with no config changes at all... let me know if i missed anything the first time!?! specifically this was lab task 5.4 i believe. R8(config)#do sh run | s user|aaa|vty aaa new-model aaa authentication login default none aaa authentication login VTY_ACCESS group radius local aaa authorization exec default none aaa authorization exec VTY_ACCESS local aaa accounting exec VTY_ACCESS action-type start-stop group radius aaa session-id common username raduser1 privilege 15 password 0 !pexpert123 username raduser2 privilege 5 password 0 !pexpert123 line vty 0 4 authorization exec VTY_ACCESS accounting exec VTY_ACCESS login authentication VTY_ACCESS line vty 5 15 authorization exec VTY_ACCESS accounting exec VTY_ACCESS login authentication VTY_ACCESS !!! failed authorization attempt to use "enable" command after succesful remote RADIUS authentication !!! Feb 25 23:50:00.299: AAA/AUTHOR: auth_need : user= 'raduser1' ruser= 'R8'rem_addr= '10.2.2.5' priv= 0 list= '' AUTHOR-TYPE= 'command' Feb 25 23:50:00.299: AAA: parse name=tty515 idb type=-1 tty=-1 Feb 25 23:50:00.299: AAA: name=tty515 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=515 channel=0 Feb 25 23:50:00.299: AAA/MEMORY: create_user (0x496634A4) user='raduser1' ruser='NULL' ds0=0 port='tty515' rem_addr='10.2.2.5' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0) Feb 25 23:50:00.299: AAA/AUTHEN/START (2869037845): port='tty515' list='VTY_ACCESS' action=LOGIN service=ENABLE R8(config)# Feb 25 23:50:00.299: AAA/AUTHEN/START (2869037845): non-console enable - default to enable password Feb 25 23:50:00.299: AAA/AUTHEN/START (2869037845): Method=ENABLE Feb 25 23:50:00.299: AAA/AUTHEN(2869037845): can't find any passwords Feb 25 23:50:00.299: AAA/AUTHEN(2869037845): Status=ERROR Feb 25 23:50:00.299: AAA/AUTHEN/START (2869037845): no methods left to try Feb 25 23:50:00.299: AAA/AUTHEN(2869037845): Status=ERROR Feb 25 23:50:00.299: AAA/AUTHEN/START (2869037845): failed to authenticate Feb 25 23:50:00.299: AAA/MEMORY: free_user (0x496634A4) user='raduser1' ruser='NULL' port='tty515' rem_addr='10.2.2.5' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
