Cisco AAA/Identity/Nac :: ACS 4.2 / TACACS+ Accounting Network Access Profile Name Is Missing
Feb 6, 2011
I have a problem trying to export logs to the Cisco ACS View from my ACS 4.2In the document [URL] Cisco states that one of the mandatory attributes for export to work is "Network Access Profile Name" under TACACS+ Accounting (under ACS 4.2 System configuration -> Logging settings). Well, I don't have this mandatory attribute listed in ACS under TACACS+ accounting log configuration. I tried to ignore this attribute, but then ACS View complains about null value for the attribute mentioned above.Is this some bug in ACS View or ACS or maybe I simply missing something?
I am setting up reports for tacacs accounting on ACS 5.3. However, accounting only seems to work after entering enable mode on the switch. I would like to see all commands, even the enable command when in privlage 1 mode.
I've set up my 5540 ASA to accounting commands on TACACS+.Every moviment done through ASDM is logged on TACACS+ by this form: cmd=perfmon interval 10.What does that mean?Why doesn't it record the exaclty command I'd issued?
I just came across a requirement, of implementing different password policies for different group users.
I can see in >>>>SYSTEM CONFIGURATION>>>>User>>AUTHENTICATION SETTINGS has only global option to implement the password complexity/no of days for active user. But i need this feature to be based for per user/group
I have both boxes heading off to ACS for TACACS lo gin authentication and for command authorization. When I first set things up everything works fine. I have a shell profile configured in ACS with Cisco-av-pair*shell:roles="network-admin" to set the network-admin role. I even have command sets configured to deny the use of configure terminal as I am using switch configuration profiles. Everything runs fine. User lo gins are authenticated by ACS and users have the correct command set applied to them.
The problem comes when I make a change to a shell profile in ACS. Even something as simple as changing the name of a shell profile causes the 5520's to crash as soon as I try to log on. If I unplug the management link so that the TACACS server is unavailable I can log on fine with the local admin user.
The NEXUS console reports this error. (amongst many others)
EDNAM-NEXUS-2 %$ VDC-1 %$ %SYSMGR-2-SERVICE_CRASHED: Service "Tacacs Daemon" (PID 4331) hasn't caught signal 11 (core will be saved).
A show system reset-reason shows:
EDNAM-NEXUS-2# sh system reset-reason ----- reset reason for Supervisor-module 1 (from Supervisor in slot 1) --- 1) At 389 usecs after Wed Jan 18 12:32:49 2012 Reason: Reset triggered due to HA policy of Reset Service: Tacacs Daemon hap reset Version: 5.0(3)N1(1c)
I found that TACACS should be available for network access with ACS 5.2:(url) But when I'm trying to create Rule tu allow PPP authentication against TACACS server I get error.
If I choose to authenticate NCS users through Cisco ACS (5.4 in this instance) via TACACS, do I still have the ability to do accounting to track what changes they have made? I'm not getting anything in the TACACS accounting reports and I don't see anywhere to configure TACACS for accounting within NCS gui like I can on a WLC. I know that NCS has an internal audit trail but if a users account is both a local account on NCS as well as an account being authenticated through ACS does the Audit trail on NCS for that local user still contain the information about changes the user made? I ask because it looks like it does but I want to make sure I'm not going mad. Here is my example:
Local account username: NCS_Admin2AD account via TACACS username: NCS_Admin2
Audit trail for the NCS_Admin2 account on NCS looks like changes are being logged to NCS even though the user is logging in with their AD credentials via TACACS.
I've got an issue with my ACS 5.1 implementation not updating any of the RADIUS or TACACS authz, authc, or acct records. Nothing is showing up, even though i've logged in via TACACS to several devices, and there are numerous wireless devices authenticated and online via RADIUS right now.
How to configure ACS 5.1 local administrator accounting and where have to check the accounting log . suppose administrator logged in to ACS and created some user or delete users where will see the log , which user have they created or deleted.
ACE is configured to point accounting to ACS servers but ACS servers are not seeing all the accounting logs. I can only see accounting logs from ACE for watchdog, start and stop.
Following best practices on cisco documentations we did set aaa acounting update periodic 5 with 250 switches in the deployment every single switch is geneating and sending 9.990 acct records this is too much the new testing parameterswe are using is aaa acounting update newinfo periodic 15 and this lowered accts by 2/3 (3500) moreover from switch monitoring the most accts records sent by it are related to the trunk-port any suggestion to mitigate this informations storm rather than raising the 15 min period to higher values?are this records generating from the trunk port normal?
i changed from ACS 4 to ACS 5.2. Everything works fine but i have authentication failed in the Radius accouting reports every time when users connect through ASA or Juniper into our network. Juniper amd ASA only send accounting informations to ACS. The users are not configured on the ACS, authentication is done via external LDAP. So my question is why do o see authentication error on ACS because Juniper and ASA only send accounting packets ?
on the dashboard of the "Monitoring & Report Viewer" I see a lot of system alarms related to the database.The explanation of the alarm says to look at the Collector logs for the details.
Whether ISE-3315-K9 with ise version: Service Engine: 1.0.4.573 , supports the command level accounting Bascially , we have integrated Cisco Switches with Cisco ISE for Device Authentication using Radius , we are able get the authentication logs on to the devices , but for any command changes or update done on Cisco devices we are not able to get the command accounting.
We have Cisco ACS 4.2 in our network and the accounting is done for 750-1000 devices and only for level priv-15.If i want to enable accounting for all levels from priv-1 to 15. All commands executed in devices are sent to ACS. Does the ACS can that much sessions from those many devices?Am also planning to configure acs remote agent to store all the accounting history.
I am in the process of setting up ACS 5.2 for a network and have run into an issue when attempting to apply the following aaa commands to a network device:
aaa authorization exec default group tacacs+ local if-authenticated aaa authorization commands 1 default group tacacs+ if-authenticated aaa authorization commands 15 default group tacacs+ local if-authenticated
Once the commands have been applied to the device configuration I get "command authorization failed" when attempting to do anything. Taking a quick look at the TACACS Authorization reports I see a failure reason of "13025 Command failed to match a Permit rule" and under the Selected Command Set "Deny All Commands" is listed. After doing a bit of searching, I noticed some articles online that indicate I should be able to specify the appropriate command set to the authorization profile under the Default Device Admin policy. However, when I open up a Device Administration Authorization Policy, nowhere in the window does it display command sets that I can select from.
I am setting up Radius AAA for cat6K switch.For authentication its work and user can login to switch. But for the privilege level assignment, it does not work. After loging in, I always get privilege 1. I need your guide on how to configure on ACS 5.1, RADIUS Attribute.I follow the document to configure the cisco-av-pair for assign Privilege 15 and Privilege 5 , but it does not work.This attribute format was shown in document is to set Privilege 15, "shell:privlvl=15" it is correct way of configure it on ACS 5.1
I have a Cisco ASA (8.2) setup with remote access for my users using Cisco VPN client. The authentication is passed off to my ACS 5.3 which then checks with AD. What I've done so far is create Access Policy rule where I define specifically the Location and NDG where the ASA is and then a DenyAllCommands command set. This should pass authentications just fine but this also gives those users the ability to remote connect directly into the ASA and login successfully. Even though there is a Deny Commands there I still would prefer they get Access Denied as a message. If I do a Deny Access on the ShellProfile then this stops the login authentication altogether.
I think i've got everything set up to authenticate against AD for Tacacs+ device logins. When i check the logs, i see:"24408 User authentication against Active Directory failed since user has entered the wrong password". This leads me to believe that it is checking AD correctly, however if i enter the password correctly for the same AD user, there is no log at all...no pass, no fail.
If i look at the Tacacs debugs on the switch, i see the following:May 25 10:55:07.927 CDT: TAC+: ver=192 id=874699084 received AUTHEN status = ERRORMay 25 10:55:09.932 CDT: TAC+: send abort reason=Unknown
Obviously the switch is communicating to ACS, and ACS is passing info back to the switch. ACS also appears to be communicating effectively with AD since it knows when i put in an incorrect password for the specific user.
I am running ACS 4.1.1.23 on a Microsoft server and I am trying to get TACACS to work with two Linux servers. The servers are capable of TACACS, are using port 49 and have the correct shared secret. I believe I do not have the devices configured properly on the ACS side. These 2 servers currently are using RADIUS and we are getting bit by the bug where the ACS application will start rejecting RADIUS authentication requests but still accept TACACS requests.
I can get it to authenticate. But I've read some posts on ACS 4.2 and authorization, but I don't find anything similar.I want to control down to what commands the authenticated user can run. I want the defintion to come from the ACS server, or at least control it from the ACS server. I want to minimize the changes on the JunOS side,but if it can't be easily done, I'll change the JunOS side.
ACS 5.3 configured with two rules, 1 rule for standard level 15 access for the Network Engineers and a 2nd rule to allow some limited access to switches: The limited access account has enough command set access to change the vlan on a switchport, so Configure Terminal, Interface FAx/x and switchport access vlan x.
Switch configuration:
aaa authentication login default group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization console aaa authorization config-commands aaa authorization exec default group tacacs+ local aaa authorization commands 0 default group tacacs+ local aaa authorization commands 1 default group tacacs+ local aaa authorization commands 15 default group tacacs+ local aaa session-id common
Everything works well and the limited access users can only perform the commands i've setup.
Problem:The problem i've encountered is when one of the network engineers makes a change that would stop the device from being able to see the ACS server it stops allowing any commands to be typed in the router/switch. Additionally if you then connect to the device and login with the local username and password the device then waits for it to hit the TACACS server timeout for every command you enter. This is obviously very slow and painful for the engineer.
Question:Is there a way to set this up so the engineer logging in with full Level 15 access doesn't have to have each command authorized by the ACS server but still allow the limited access accounts to be able to make interface changes?
So far i managed my switches with TACACS+, however now i've to deploy 802.1X, requiring RADIUS only. For what i know, ACS (i'm using 4.2) allows to define a device using only TACACS or RADIUS, but not both. Do i am right? Or there is a way to define an AAA client to communicate with the same ACS using both the protocols?
Supposing i am right, i was then considering the following options: - configure all of the switches to use radius for any service (authentication, authorization etc ec) This simplifies the task, but i lose the TACACS+ services for the switches. Is this a big loss?
- configure the L3 switches to use a second Loopback, just for RADIUS services. This would allow to still use the TACACS+ but would require a new network just for the RADIUS service; furthermore L2 switches doesn't support two IP addresses and would require anyway a migration to RADIUS.
A considerable administrative overhead, in other words. I'm not willing to deploy a second RADIUS (ACS, Windows, whatever), in this moment.
The key point is this: reading around i see Cisco documentation recommending always to use TACACS+ for management, but in this situation is not possibile. In general, every time the device has a role of network admission (switch or access-point) RADIUS seems to be the protocol of choice. Moving to RADIUS would have some major drawback or only a change in the communication protocol? (I know the difference between TACACS+ and RADIUS: tcp vs udp, encryption of the whole packet vs encryption of only the password).
I want to setup two factor authentication via ACS 5.2 TACACS+ without having to use a token (such as that by RSA). Is there a way to do it?
More info:
Users from unconnected AD domains will be connecting to the routers and switches.There is a certificate server available to generate certificates.SSHv2 is the current login protocol.
