• If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.
Xin chào ! Nếu đây là lần đầu tiên bạn đến với diễn đàn, xin vui lòng danh ra một phút bấm vào đây để đăng kí và tham gia thảo luận cùng VnPro.

Announcement

Collapse
No announcement yet.

Help me! error Backup tren CNA

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Help me! error Backup tren CNA

    Hi, moi nguoi!

    Toi gap 1 loi nhu sau, mong moi nguoi chi giao.

    Toi bi loi khi backup Switch bang CNA sau khi apply ACS de AAA toan bo he thong Switch. Nguyen nhan loi do khi connect toi cac Switch trong CNA de backup CNA chi bat gho pass mode enable, co the do vay chua duoc ACS authenticate.

    Moi nguoi neu biet khac fuc loi nay xin duoc chi giao.

    Thanks!

    ThangPN.

  • #2
    Originally posted by minhthu View Post
    Hi, moi nguoi!

    Toi gap 1 loi nhu sau, mong moi nguoi chi giao.

    Toi bi loi khi backup Switch bang CNA sau khi apply ACS de AAA toan bo he thong Switch. Nguyen nhan loi do khi connect toi cac Switch trong CNA de backup CNA chi bat gho pass mode enable, co the do vay chua duoc ACS authenticate.

    Moi nguoi neu biet khac fuc loi nay xin duoc chi giao.

    Thanks!

    ThangPN.
    hi minhthu,
    mình chưa hiểu ý của bạn lắm, nhưng nếu ý bạn muốn hỏi là "làm sao recovery pass" trên switch cisco thì bạn có thể tham khảo link sau:
    This document describes the password recovery procedure for the Cisco Catalyst Layer 2 and Cisco Catalyst Layer 3 fixed configuration switches.

    HTH,

    Comment


    • #3
      Hi, BinhHD!

      Nghia la khong fai to mat pass, ma do khi apply ACS vao de AAA he thong Switch thi khi access cac Switch thi se bat nhap user/pass cua AD vao sau do moi la pass cua mode user exec va pass cua mode enable. Khi minh dung CNA de connect toi he thong Switch CNA chi bat nhap pass enable thoi, vi vay co the minh ko co quyen backup/restore.

      ThangPN.

      Comment


      • #4
        vậy bạn phải cho xem cái cấu hình phần AAA trên switch của bạn. Thực hiện lệnh show run và post kết quả ra đây nhé.
        Đặng Quang Minh, CCIEx2#11897 (Enterprise Infrastructure, Wireless), DEVNET, CCSI#31417

        Email : dangquangminh@vnpro.org
        https://www.facebook.com/groups/vietprofessional/

        Comment


        • #5
          Hi, Minh!

          Day la config tren Switch access cua minh.

          Current configuration : 3788 bytes
          !
          version 12.1
          no service pad
          service timestamps debug uptime
          service timestamps log uptime
          service password-encryption
          !
          hostname CG-T10-SWM
          !
          aaa new-model
          aaa authentication login default group tacacs+ local
          aaa authorization config-commands
          aaa authorization exec default group tacacs+ local
          aaa authorization commands 15 default group tacacs+ local
          aaa accounting send stop-record authentication failure
          aaa accounting commands 15 default start-stop group tacacs+
          aaa accounting system default start-stop group tacacs+
          enable secret 5 $1$xOEL$K0y4Drjv4XzxMaHBusFz.1
          !
          username admin password 7 1513081F247B7977
          ip subnet-zero
          !
          ip dhcp snooping vlan 1 1005
          ip dhcp snooping
          !
          !
          spanning-tree mode pvst
          no spanning-tree optimize bpdu transmission
          spanning-tree extend system-id
          no spanning-tree vlan 3,10,19,98,178-200,300,303-304,401-402
          !
          !
          !
          !
          interface FastEthernet0/1
          switchport mode trunk
          ip dhcp snooping trust
          !
          interface FastEthernet0/2
          switchport access vlan 136
          switchport mode access
          spanning-tree portfast
          !
          interface FastEthernet0/3
          switchport access vlan 193
          switchport mode access
          spanning-tree portfast
          !
          interface FastEthernet0/4
          switchport access vlan 152
          switchport mode access
          spanning-tree portfast
          !
          interface FastEthernet0/5
          switchport access vlan 193
          switchport mode access
          spanning-tree portfast
          !
          interface FastEthernet0/6
          switchport access vlan 152
          switchport mode access
          spanning-tree portfast
          !
          interface FastEthernet0/7
          switchport access vlan 153
          switchport mode access
          spanning-tree portfast
          !
          interface FastEthernet0/8
          switchport mode trunk
          !
          interface FastEthernet0/9
          switchport access vlan 153
          switchport mode access
          spanning-tree portfast
          !
          interface FastEthernet0/10
          switchport access vlan 193
          switchport mode access
          spanning-tree portfast
          !
          interface FastEthernet0/11
          switchport access vlan 153
          switchport mode access
          spanning-tree portfast
          !
          interface FastEthernet0/12
          switchport access vlan 153
          switchport mode access
          spanning-tree portfast
          !
          interface FastEthernet0/13
          switchport access vlan 153
          switchport mode access
          spanning-tree portfast
          !
          interface FastEthernet0/14
          switchport access vlan 153
          switchport mode access
          spanning-tree portfast
          !
          interface FastEthernet0/15
          switchport access vlan 153
          switchport mode access
          spanning-tree portfast
          !
          interface FastEthernet0/16
          switchport access vlan 153
          switchport mode access
          spanning-tree portfast
          !
          interface FastEthernet0/17
          switchport access vlan 122
          switchport mode access
          spanning-tree portfast
          !
          interface FastEthernet0/18
          switchport access vlan 153
          switchport mode access
          spanning-tree portfast
          !
          interface FastEthernet0/19
          switchport access vlan 153
          switchport mode access
          spanning-tree portfast
          !
          interface FastEthernet0/20
          switchport access vlan 193
          switchport mode access
          spanning-tree portfast
          !
          interface FastEthernet0/21
          switchport access vlan 141
          switchport mode access
          spanning-tree portfast
          !
          interface FastEthernet0/22
          switchport access vlan 153
          switchport mode access
          spanning-tree portfast
          !
          interface FastEthernet0/23
          switchport access vlan 193
          switchport mode access
          spanning-tree portfast
          !
          interface FastEthernet0/24
          switchport mode trunk
          !
          interface GigabitEthernet0/1
          switchport mode trunk
          ip dhcp snooping trust
          !
          interface GigabitEthernet0/2
          switchport mode trunk
          ip dhcp snooping trust
          !
          interface Vlan1
          ip address 10.0.0.181 255.255.255.0
          no ip route-cache
          !
          ip default-gateway 10.0.0.1
          ip http server
          snmp-server community fsoft RW
          tacacs-server host 10.16.34.161
          tacacs-server key 123456
          !
          line con 0
          password 7 1511021F07250B373F3A21211B554553
          line vty 0 4
          password 7 141101040A102924362D1326351A13150B530509
          line vty 5 15
          password 7 03024804001B22435C0C3916001B1F0F0C787874
          !
          !
          end


          Minh da grant full quyen tren ACS server cho user co nhiem vu backup.

          ThangPN.
          Last edited by minhthu; 09-07-2008, 01:33 PM.

          Comment


          • #6
            hi

            Lúc bạn kết nối vào switch từ phần mềm CNA, bạn thấy trên ACS server có logging lại sự kiện telnet đó không? Bạn kiểm tra trong phần Report của ACS server.

            Một vấn đề cần kiểm tra là động tác kết nối vào switch từ CNA là telnet hay là ssh.
            Đặng Quang Minh, CCIEx2#11897 (Enterprise Infrastructure, Wireless), DEVNET, CCSI#31417

            Email : dangquangminh@vnpro.org
            https://www.facebook.com/groups/vietprofessional/

            Comment


            • #7
              Hi

              Luc minh ket noi tu CNA toi Switch, neu ket noi fail thi ACS co log lai trong phan fail attempts, con khi minh gho dung pass enable thi ket noi thanh cong va khong thay ACS log lai trong phan Passed authentications.

              Minh ket noi tu CNA toi Switch qua HTTP va mac dinh no yeu cau minh su dung enable pass de connect, minh da doi sang user local de connect nhung no thong bao la fai co it nhat 1 user co privilege 15. Minh da tao user admin trong switch va gan quyen privilege 15. Khi connect toi switch bang user nay lai khong duoc.


              enable secret 5 $1$z2m0$oIQIw1GYGDNMAI.7pfCgi.
              !
              username admin privilege 15 password 7 06070C326C1F5B4A
              aaa new-model
              aaa authentication login default group tacacs+ local
              aaa authorization config-commands
              aaa authorization exec default group tacacs+ local
              aaa authorization commands 15 default group tacacs+ local
              aaa accounting send stop-record authentication failure
              aaa accounting commands 15 default start-stop group tacacs+
              aaa accounting system default start-stop group tacacs+

              ThangPN.
              Last edited by minhthu; 11-07-2008, 10:50 AM.

              Comment


              • #8
                nếu CNA kết nối vào switch thông qua HTTP thì bạn phải bật thêm xác thực cho HTTP, dùng lệnh giống như vậy:

                ip http authentication
                Đặng Quang Minh, CCIEx2#11897 (Enterprise Infrastructure, Wireless), DEVNET, CCSI#31417

                Email : dangquangminh@vnpro.org
                https://www.facebook.com/groups/vietprofessional/

                Comment

                Working...
                X