Cisco AAA/Identity/Nac :: 5520 - Change Shell Profile In ACS / TACACS Server Unavailable

Jan 17, 2012

I have two Nexus 5520 running 5.0(3)N1(1c).
 
I have both boxes heading off to ACS for TACACS lo gin authentication and for command authorization. When I first set things up everything works fine. I have a shell profile configured in ACS with Cisco-av-pair*shell:roles="network-admin" to set the network-admin role. I even have command sets configured to deny the use of configure terminal as I am using switch configuration profiles. Everything runs fine. User lo gins are authenticated by ACS and users have the correct command set applied to them.
 
The problem comes when I make a change to a shell profile in ACS. Even something as simple as changing the name of a shell profile causes the 5520's to crash as soon as I try to log on. If I unplug the management link so that the TACACS server is unavailable I can log on fine with the local admin user.
 
The NEXUS console reports this error. (amongst many others)
 
EDNAM-NEXUS-2 %$ VDC-1 %$ %SYSMGR-2-SERVICE_CRASHED: Service "Tacacs Daemon" (PID 4331) hasn't caught signal 11 (core will be saved).
 
A show system reset-reason shows:
 
EDNAM-NEXUS-2# sh system reset-reason
----- reset reason for Supervisor-module 1 (from Supervisor in slot 1) ---
1) At 389 usecs after Wed Jan 18 12:32:49 2012
    Reason: Reset triggered due to HA policy of Reset
    Service: Tacacs Daemon hap reset
    Version: 5.0(3)N1(1c)

Could this be a bug with Nexus/ACS?

View 3 Replies


ADVERTISEMENT

Cisco AAA/Identity/Nac :: How To Link Command Set To Shell Profile In ACS 5.2

Oct 18, 2011

How to link the command set to a shell profile in acs 5.2.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 - Unable To Map Command Set To Shell Profile

May 31, 2012

I am in the process of setting up ACS 5.2 for a network and have run into an issue when attempting to apply the following aaa commands to a network device:

aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
      
Once the commands have been applied to the device configuration I get "command authorization failed" when attempting to do anything.  Taking a quick look at the TACACS Authorization reports I see a failure reason of "13025 Command failed to match a Permit rule" and under the Selected Command Set "Deny All Commands" is listed. After doing a bit of searching, I noticed some articles online that indicate I should be able to specify the appropriate command set to the authorization profile under the Default Device Admin policy.  However, when I open up a Device Administration Authorization Policy, nowhere in the window does it display command sets that I can select from. 

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.x TACACS / Radius Password Policy Profile For Different Users

Sep 4, 2012

I just came across a requirement, of implementing different password policies for different group users.
 
I can see in >>>>SYSTEM CONFIGURATION>>>>User>>AUTHENTICATION SETTINGS has only global option to implement the password complexity/no of days for active user. But i need this feature to be based for per user/group

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.2 / TACACS+ Accounting Network Access Profile Name Is Missing

Feb 6, 2011

I have a problem trying to export logs to the Cisco ACS View from my ACS 4.2In the document [URL] Cisco states that one of the mandatory attributes for export to work is "Network Access Profile Name" under TACACS+ Accounting (under ACS 4.2 System configuration -> Logging settings). Well, I don't have this mandatory attribute listed in ACS under TACACS+ accounting log configuration. I tried to ignore this attribute, but then ACS View complains about null value for the attribute mentioned above.Is this some bug in ACS View or ACS or maybe I simply missing something?

View 1 Replies View Related

Cisco VPN :: Selected Shell Profile Is Showing Deny Access 5510

May 17, 2012

i have got the below long on the acs 5.2,one the vpn client user connect to asa 5510
 
Description
Selected Shell Profile is DenyAccess
Resolution Steps
Check whether the Device Administration Authorization Policy rules are correct

View 1 Replies View Related

AAA/Identity/Nac :: Nexus 7000 Crashes Using Tacacs To ACS 4.1 Server

Apr 9, 2012

I see there is a similar post for Nexus 5000 to ACS 5.2.  Identical symptoms.  The supervisor crashed and switched to secondary.  Is there a comparable field for ACS 4.1 that needs to have something in it? 2012 Apr  9 11:07:55 va-core02 %$ VDC-1 %$ %SYSMGR-2-SERVICE_CRASHED: Service "Tacacs Daemon" (PID 9390) hasn't caught signal 11 (core will be saved). 2012 Apr  9 11:07:55 va-core02 %$ VDC-1 %$ %SYSMGR SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG: This supervisor will temporarily remain online in order to collect show tech-support. This behavior is configurable via 'system [no] auto-collect tech-support'.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: N7K Primary Tacacs Server Fail / Won't Switch Over To Another

Jan 23, 2012

Have you ever found the problem that if I set two tacacs server in my N7K and the primary tacacs server fail, won't switch over to another tacacs server.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ASR 9010 Configuration To Connect To A Tacacs+ Server

Jun 10, 2013

We have an ASR 9010 with IOS XR, and we are making the configuration to connect to a tacacs+ server, this tacacs+ server works and is givins service to many other MPLS equipments. We have been following the guide:
 
Configuring AAA Services on
Cisco ASR 9000 Series Routers
 
but we have had a lot of troubles, in fact we have loose the administration of the box, at this moment the only lines that are in the ASR900 are: [code]

View 8 Replies View Related

Cisco AAA/Identity/Nac :: 6506-9 / TACACS+ Server Authentication Failed

Mar 15, 2010

I've been configured my device 6506-9 with TACACS+ server authentication: [code]
 
but when I tried to access the device only uses authentication local but not uses TACACs (with username/password defined) it can be an error in configuration? in the other devices of network this works properly, only it's wrong in Cat6506-E

View 6 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 - Can't Contact AD Server Slow TACACS Auth Response

Sep 28, 2011

Running ACS 5.1 appliance, and am seeing slow repsonse on TACACS authentications due to the ACS trying to reach overseas AD servers and failing.  Is there any way to configure a /etc/host/ file locally on the ACS in order to force the appliance to use specific AD servers for authentication?  As I understand the process currently, the ACS appliance will query the top-level domain and get a list of all the AD servers in DNS.  In my case, this would include the AD servers overseas that we do not want to use.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ISE 1.1.2 Change Of Authorization With Avaya Switches (5520)?

Jan 27, 2013

I am configuring ise to do the posture assessment. I am having avaya as my LAN and Core switches. The idea is once the user is authenticated using 802.1x then it will be moved to qurantine vlan and after it is compliant with the company's policy then it will be moved to the actual vlan. I have configured the avaya switch to accept the radius assigned vlan and also configured the 802.1x dynamic-authorization. Currently, radius assigned qurantine vlan is working but once the nac agent scan and mark the PC status as Compliant then the CoA is not happening and User is not moved to the actual vlan.
 
I tested the same ise authorization policy of dynamically assigning VLANs on cisco switches and it worked perfectly, but the same is not happening on avaya switch.

View 1 Replies View Related

AAA/Identity/Nac :: ACS 5.41 Same Username With Two Different Group / Shell Profiles

Mar 23, 2013

In my ACS 5.4 I want to have same useranme to use two shell profiles. Here is the requirement.One shell profile with privelege 15 for IOS device admin and other one with different privelege for WCS admin.As there can't have two shell profiles on the same authroization profile, I created two different profiles, and match with the ACS local group name. However whenever user tries to access it always hits the 1st profiles.

View 3 Replies View Related

AAA/Identity/Nac :: 2960 - ACS 4.2 NDG And Shell Authorization Sets

Nov 25, 2011

I am trying to solve this problem without success so far. I have fresh ACS 4.2.15 patch 5 ACS installation and I am tryng to deploy it to our environment. So I have configured one 2960S to be my test client and everything works fine. Problem is when I try to create fine grained policies using network device groups and shell authorization sets.

I have created shell authorization sets called ReadOnly and FullAccess. I have also created NDG called FloorSwitches and added my 2960. I have 2 user groups called FloorSwitchesReadOnly and FloorSwithcesFullAccess. Now, if I configure group FloorSwitchesFullAccess and assign Shell command authorization set per NDG and then log into the switch, all of my commands are refused as unauthorized.
 
One thing that I have noticed is that if I assign shell command authorization set to any device ( in user group settings ) it works fine. Or if I create association with DEFAULT NDG in user group it also works. So my conclusion is that ACS for some reason does not associate my switch with correct group but rather puts it to DEFAULT group for some reason.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 - Shell Command Set - Unable To Deny

May 30, 2012

Currently i deploy a ACS 5.3 at customer site. The issue i face currently is some command sets not able to deny. Example like below: 
 
i want to deny the AD user with priviledge level 15 to change the enable secret password and delete the enable secret password.
 
the command i issue at below: Code...

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS Version 4.2 (0) - Configure Shell Commands Authorization?

Sep 22, 2012

I'm trying to configure a shell commnds set such that all commands (including under conf t mode) will be allowed, except for administrative commands, such as write, copy, admin, format etc.It's been working for (most) priviliged mode commands (such as write and copy) but has been unsuccessful for any command under conf t mode. It's important in order to prevent the users from performing 'do write' and 'do copy run start' commands, for example.Here's the input of the shell command authorization set (Partial_access):
 
Unmatched Commands: permit
 Command list:
 admin
copy
delete
do

[code]....

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.1- Shell Command Works Under User But Not Group

Jul 27, 2011

This question might actually belong under tacacs server but it's only happening with the ACE.  I've configured tacacs on the 4710 and configured the tacacs server per the documentation. If I enter the shell:<context>*Admin default-domain under the group settings when I login with my tacacs ID my role is set to Network-Monitor.  If I set the shell in my specific tacacs ID I'm assigned the correct role as Admin.  We're running ACS ver 4.1 and the ACE is A4(1.1)

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 - Radius Attributes And Device Administration / Shell

Sep 18, 2012

Under 'Policy Elements/Authorization and Permissions/Network Access/Authorization profiles' I have defined a profile and the following Attribute:Attribute = F5-LTM-User-RoleType = Unsigned Integer 32Value = 300.
 
My question is:How can I define the same as above using 'Device Administration/Shell Profiles' ?

There is a Custom Attributes tab but I cannot figure out how to specify the 'Type' field. (Under Custom Attributes tab there is only space for 2 fields and not 3 fields).

View 3 Replies View Related

Cisco VPN :: ASA 5510 - Connection Profile / Can't Change Name?

Mar 7, 2011

editing the name of a vpn connection profile and its policy, i have created the profile throught ipsec VPN wizard, the profile got automatically the name: DefaultRAGroup and also its grouppolicy got the name: DefaultRAGroup, in the edit window i cant change the Name?how can i rename them?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 And Authorization Profile For RAS

Aug 2, 2012

what's the ACS 5.3 common configuration for authorization profile for RAS authorization ?
 
I have an authorization error and the customer needs PPP, LCP, ip pool  (configured on the ras).

View 1 Replies View Related

Cisco Firewall :: ASA 5520 CSC Module Per Subnet / IP Group Inspection Profile

Sep 7, 2011

verify if the ASA 5520 CSC module way of applying security policy (http, smtp, pop3, etc.) is per network/subnet or group of users? Based on my understanding through reading, web and email protection profile/config is global. It will be the same to every network user that is redirected via service-policy config on the ASA.
 
Scenario: I have two VLAN, guest and employee. Of course guest and employee have different web filter profile. Can i configure it such that guest web-filter profile is not just strict while employee's access is limited only to productive internet sites.

View 5 Replies View Related

Wireless :: Prompt Says (Server Is Unavailable At This Time)?

Feb 9, 2011

My Verizon USB connection to the internet, suddenly stopped connecting to napster. Prompt says: "Server is unavailable at this time." No one at Verizon has a clue about fixing the problem, which Napster says is a Verizon connection problem..What to do??

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 Authorization Profile / RADIUS Attributes

Jun 1, 2011

I am setting up Radius AAA for cat6K switch.For authentication its work and user can login to switch. But for the privilege level assignment, it does not work. After loging in, I always get privilege 1. I need your guide on how to configure on ACS 5.1,  RADIUS Attribute.I follow the document to configure the cisco-av-pair for assign Privilege 15 and Privilege 5 , but it does not work.This attribute format was shown in document is to set Privilege 15, "shell:privlvl=15" it is correct way of configure it on ACS 5.1

View 5 Replies View Related

Linksys Wired Router :: BEFSR41 V3 - Dyndns Server Is Unavailable

Dec 29, 2011

I'm currently running a BEFSR41 V3 router with firmware version 1.05.0 It seems that there is no update retry if the dyndns server is temporarely unavailable. Is it possible to initiate an update via command line or is a new firmware update available to solve this issue?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 And TACACS + Authentication From VPN?

Mar 4, 2012

I have a Cisco ASA (8.2) setup with remote access for my users using Cisco VPN client. The authentication is passed off to my ACS 5.3 which then checks with AD. What I've done so far is create Access Policy rule where I define specifically the Location and NDG where the ASA is and then a DenyAllCommands command set. This should pass authentications just fine but this also gives those users the ability to remote connect directly into the ASA and login successfully. Even though there is a Deny Commands there I still would prefer they get Access Denied as a message. If I do a Deny Access on the ShellProfile then this stops the login authentication altogether.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Cannot Authenticate AD For Tacacs ACS 5.0

May 24, 2011

I think i've got everything set up to authenticate against AD for Tacacs+ device logins.  When i check the logs, i see:"24408 User authentication against Active Directory failed since  user has entered the wrong password".  This leads me to believe that it is checking AD correctly, however if i enter the password correctly for the same AD user, there is no log at all...no pass, no fail.
 
If i look at the Tacacs debugs on the switch, i see the following:May 25 10:55:07.927 CDT: TAC+: ver=192 id=874699084 received AUTHEN status = ERRORMay 25 10:55:09.932 CDT: TAC+: send abort reason=Unknown

Obviously the switch is communicating to ACS, and ACS is passing info back to the switch.  ACS also appears to be communicating effectively with AD since it knows when i put in an incorrect password for the specific user.

View 2 Replies View Related

Cisco Firewall :: ASA 5520 - Syslog And Tacacs Generate Ping Response?

Mar 20, 2012

I'm trying to configure an ASA firewall (FW2) for syslog and tacacs and am experiencing strange behavior.  Both the syslog and ACS server are on the inside of another firewall (CoreFW).  Whenever a log message is generated on FW2 the request is dropped by CoreFW and message '%ASA-4-313004: Denied ICMP type=0, from laddr FW2 on interface outside-b2b to syslog01: no matching session' is displayed.  The same thing occurs for tacacs.
 
It appears that the syslog and ACS requests are generating ICMP echo replies, which the core firewall drops since no session exists on a lower security interface.  I have access lists configured on CoreFW to allow the syslog and tacacs requests.
 
FW2 is running asa825-k8.bin, CoreFW is asa824-k8.bin

View 1 Replies View Related

Cisco AAA/Identity/Nac :: NCS TACACS+ With ACS 4.2 - Authentication / Authorization?

Sep 13, 2011

I tried to configure TACACS+ authentication / authorization for NCS via ACS 4.2. For that I followed the configuration guide:
 
1. Configured the service for NCS with HTTP (see attachment)
 
2. Added the tasks to the user (see attachment)
  
When I try to login on the NCS it fails, in the logs on the NCS I see the following lines:
 
09/14/11 16:53:03.333 TRACE [system] [http-443-7] [TACACS+ AAAModule] Creating authorization socket   - To Server:  192.168.49.14  - For User:  netadmin
09/14/11 16:53:03.335 TRACE [system] [http-443-7] [TACACS+ AAAModule] Sending authorization request packet  - To Server:  192.168.49.14  - For User:  netadmin
09/14/11 16:53:03.336 TRACE [system] [http-443-7] [TACACS+ AAAModule] Receiving authorization response packet  - From Server:  192.168.49.14  - For User:  netadmin

[code].....

View 7 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 - TACACS For Network Access

Feb 27, 2011

I found that TACACS should be available for network access with ACS 5.2:(url) But when I'm trying to create Rule tu allow PPP authentication against TACACS server I get error.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: To Configure MS ACS 4.1.1.23 To Allow Linux TACACS

Sep 20, 2011

I am running ACS 4.1.1.23 on a Microsoft server and I am trying to get TACACS to work with two Linux servers.  The servers are capable of TACACS, are using port 49 and have the correct shared secret.  I believe I do not have the devices configured properly on the ACS side.  These 2 servers currently are using RADIUS and we are getting bit by the bug where the ACS application will start rejecting RADIUS authentication requests but still accept TACACS requests.

View 6 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.x Tacacs Accounting Report

May 14, 2013

I am setting up reports for tacacs accounting on ACS 5.3.  However, accounting only seems to work after entering enable mode on the switch.  I would like to see all commands, even the enable command when in privlage 1 mode.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 - TACACS And JunOS Authorization?

Mar 4, 2012

I can get it to authenticate.  But I've read some posts on ACS 4.2 and authorization, but I don't find anything similar.I want to control down to what commands the authenticated user can run.  I want the defintion to come from the ACS server, or at least control it from the ACS server.  I want to minimize the changes on the JunOS side,but if it can't be easily done, I'll change the JunOS side.

View 10 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 / Tacacs Authorization Restrictions

Nov 14, 2012

ACS 5.3 configured with two rules, 1 rule for standard level 15 access for the Network Engineers and a 2nd rule to allow some limited access to switches: The limited access account has enough command set access to change the vlan on a switchport, so Configure Terminal, Interface FAx/x and switchport access vlan x.
 
Switch configuration:     
 
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa session-id common
 
Everything works well and the limited access users can only perform the commands i've setup.
 
Problem:The problem i've encountered is when one of the network engineers makes a change that would stop the device from being able to see the ACS server it stops allowing any commands to be typed in the router/switch. Additionally if you then connect to the device and login with the local username and password the device then waits for it to hit the TACACS server timeout for every command you enter. This is obviously very slow and painful for the engineer.
 
Question:Is there a way to set this up so the engineer logging in with full Level 15 access doesn't have to have each command authorized by the ACS server but still allow the limited access accounts to be able to make interface changes?

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved