hah thanks, tyson. in my effort to be thorough - i left out a complete thought and wrote down a bunch of otherwise confusing ones :) !
as for the *privilege* command, i was just trying to drive home that if you type a multipart command like *configure terminal, *then the system will automatically added the preceding components like *configure*. i always thought that i had to type them both myself, and ended up applying them backwards AND with a typo in the privilege levels, so things really got messed up :). and if i can repro that AAA exec authorization issue, i'll confirm that for the list here. you're most likely right in that my configs may have been applied in uneven fashion. take care! andrew On Sat, Feb 26, 2011 at 7:43 PM, Tyson Scott <[email protected]> wrote: > Andrew, > > > > 1. Sounds like an English class. Don't understand ;). > > > > 2. Most likely you won't have to fully test CTA in the lab but doing it in > practice is of great help. You can do it from IE if you select the proper > root trust store. It is always good to know multiple methods. > > ACS certificate is needed for posture validation credentials. As with L2 > and L3 NAC there is no user credential requirements > > > > 3. aaa authentication enable default ..., would probably have helped with > your problem. You may have forgotten to authorize exec before you got it to > work after the reload. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > Managing Partner / Sr. Instructor - IPexpert, Inc. > Mailto: [email protected] > Telephone: +1.810.326.1444, ext. 208 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Andrew Wurster > *Sent:* Saturday, February 26, 2011 12:08 PM > *To:* OSL Security > *Subject:* [OSL | CCIE_Security] IOS AAA gripes and lessons learned > > > > hey guys - > > > > i figured I'd share a few stumbling points I ran into yesterday during my > AAA lab practices. never a dull moment! > > > > andrew > > > > > > #1 - adding a "verb" command followed by an "adjective" always seems to > auto-fill the parent command with just the "verb". I couldn't find anything > on it, except by reading between the lines in the lab's solution guide. and > THEN i came across this little gem inside the IOS Securing User Services > guide: > > > > privilege exec level 7 configure terminal > > ! > > *! the privilege exec level 7 configure command below is entered > automatically * > > *! when you enter the privilege exec level 7 configure terminal command > above, do* > > *! not enter it again* > > ! > > privilege exec level 7 configure > > > > so it would seem that . i think the ipexpert instructors' mantra of test > your solutions thoroughly really pays off in situations like this. for > instance, the first go round, i had gotten the "show" commands right, but > the "configure" ones i added in with different privilege levels (gave > "configure" level 10 and "configure terminal" level 5). > > > > #2 - is it required to do all those complicated steps to get the Cisco > Trust Agent to load and run properly? i tried to follow along with the VOD > on that task since i have zero experience with CTA, but i was having lots of > problems getting the program to even open properly :/ . > > 1. disable wired auto-config service in services > - would we need to play with services in the lab? > 2. import ACS cert via CLI > - can't we just use IE to install the cert into the root store? does > the client require a server certificate to launch? > 3. connect to client via VNC > - i'm pretty sure i understand why we need this - but i can't remember > if there is VNC in the lab or not? > > > > #3 - after configuring AAA local command authorization, i was unable to > authorize use of enable mode for a RADIUS-authed user. i don't know if this > was a bug, or an order of operations issue, but of course after a reload > everything worked as expected with no config changes at all... let me know > if i missed anything the first time!?! specifically this was lab task 5.4 i > believe. > > > > R8(config)#do sh run | s user|aaa|vty > > aaa new-model > > aaa authentication login default none > > aaa authentication login VTY_ACCESS group radius local > > aaa authorization exec default none > > aaa authorization exec VTY_ACCESS local > > aaa accounting exec VTY_ACCESS > > action-type start-stop > > group radius > > aaa session-id common > > username raduser1 privilege 15 password 0 !pexpert123 > > username raduser2 privilege 5 password 0 !pexpert123 > > line vty 0 4 > > authorization exec VTY_ACCESS > > accounting exec VTY_ACCESS > > login authentication VTY_ACCESS > > line vty 5 15 > > authorization exec VTY_ACCESS > > accounting exec VTY_ACCESS > > login authentication VTY_ACCESS > > > > !!! failed authorization attempt to use "enable" command after succesful > remote RADIUS authentication !!! > > > > *Feb 25 23:50:00.299: AAA/AUTHOR: auth_need : user= 'raduser1' ruser= > 'R8'rem_addr= '10.2.2.5' priv= 0 list= '' AUTHOR-TYPE= 'command'* > > Feb 25 23:50:00.299: AAA: parse name=tty515 idb type=-1 tty=-1 > > Feb 25 23:50:00.299: AAA: name=tty515 flags=0x11 type=5 shelf=0 slot=0 > adapter=0 port=515 channel=0 > > *Feb 25 23:50:00.299: AAA/MEMORY: create_user (0x496634A4) user='raduser1' > ruser='NULL' ds0=0 port='tty515' rem_addr='10.2.2.5' authen_type=ASCII > service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)* > > Feb 25 23:50:00.299: AAA/AUTHEN/START (2869037845): port='tty515' > list='VTY_ACCESS' action=LOGIN service=ENABLE > > R8(config)# > > *Feb 25 23:50:00.299: AAA/AUTHEN/START (2869037845): non-console enable - > default to enable password* > > *Feb 25 23:50:00.299: AAA/AUTHEN/START (2869037845): Method=ENABLE* > > *Feb 25 23:50:00.299: AAA/AUTHEN(2869037845): can't find any passwords* > > Feb 25 23:50:00.299: AAA/AUTHEN(2869037845): Status=ERROR > > *Feb 25 23:50:00.299: AAA/AUTHEN/START (2869037845): no methods left to > try* > > Feb 25 23:50:00.299: AAA/AUTHEN(2869037845): Status=ERROR > > *Feb 25 23:50:00.299: AAA/AUTHEN/START (2869037845): failed to > authenticate* > > *Feb 25 23:50:00.299: AAA/MEMORY: free_user (0x496634A4) user='raduser1' > ruser='NULL' port='tty515' rem_addr='10.2.2.5' authen_type=ASCII > service=ENABLE priv=15 vrf= (id=0)* > > > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
