Currently I am using local database for authentication on my pfsense. I know that Cisco's IOS has backup authentication methods for the cases when primary one fails. You can even not to authenticate at all if all servers fail. I want to use AD user base to organize the user control, but here is a question, what will happen when AD fails, can pfsense jump to local database?
Good day!
I logged into a Cisco management router located in our company network and issue the show users command and it gave the following output. The 3rd line vty 4 is me. I am concerned of the 2 other entries because I am 100% sure no one except me should be logged into the router from the inside during this hour. Also, the entries do not contain usernames. I've traced the IPs of these users to different locations around the globe. The output of the command changes from time to time.
What do these entries without username mean?
Thank you!
We have a pair of ASA 5510s (8.4.3) on which we use LDAP authentication for VPN and SSH access. On all of our Catalyst switches, which use RADIUS, we're able to set the shell:priv-lvl to 15 in the RADIUS config (2008R2 NPS). However, the best I can find on the ASAs, including in all the Cisco docs, is to abuse some other field, such as title or company, by sticking "15" into it and mapping that to the Privilege-Level RADIUS attribute in the AAA config. What I really want to do is assign anyone in an AD group L15 privs on the ASAs without having to type in a shared password. Anyone know if there's a way to do this?
I am setting up our new ASA's at Stack Exchange and am trying to follow some best practices like using configuration management and minimum-permissions-necessary users. What I'm trying to do is utilize the https server to download the running config. If you were unaware, when https is enabled and you have sufficient priviledges, you can go to https://asa-ip/config to download the current running config.
There are two problems I am trying to solve:
I have setup LDAP access for the ASA so that we can use our Active Directory to auth to the ASA. It works via ssh, but http still seems to use LOCAL database, and I'm unaware of the command to cause the http server to lookup from the LDAP source.
Which aaa commands are necessary to authorize a lower-privilege user the ability to download the config in this manner? Is this even possible or am I stuck making a priv 15 user?
We are looking at implementing 802.1x on a wired/wireless network. What I am looking for is a device that can act as a supplicant and once authenticated on the network, is able to pass traffic from any downstream connected device.
The point of doing this would be to allow a properly pre-configured device to be provided to a client user who could then connect any device on the downstream side of the device. We will be able to manage the aggregate traffic on the device without concern for what is connected on the far side.
Am I dreaming; does every device out there support this and I just don't know it or is reality fall somewhere in the middle?