Cisco AAA/Identity/Nac :: C4948-10G / Tacacs+ Not Working On VRF Interface?

Feb 3, 2013

C4948-10G switch running IOS 15.0(2)SG ?ACS 4.2 cannot authenticate on the vrf interface. The issue on vrf aaa authentication.
 
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login no_tacacs local
aaa authentication enable default group tacacs+ enable

[code]....

View 13 Replies


ADVERTISEMENT

Cisco AAA/Identity/Nac :: TACACS Authentication Working Via SSH But Not HTTP (ACS 5.1 / 3560)

Aug 26, 2010

My switches are able to successfully authenticate user access against ACS 5.1 via SSH with TACACS+, but I am not able to authenticate via HTTPS with TACACS+.  I don't even get a log in ACS when attempting to authenticate via HTTPS.
 
Here is my AAA config, followed by a debug:
 
aaa new-modelaaa authentication login ACCESS group tacacs+ localaaa authorization consoleaaa authorization config-commandsaaa authorization exec ACCESS group tacacs+ aaa authorization commands 1 Priv1 group tacacs+ none

[Code]......

View 8 Replies View Related

Cisco AAA/Identity/Nac :: Catalyst 3750 - TACACS Authentication Stopped Working

Jul 25, 2011

We have a Catalyst 3750 switch that failed over to local login after the Tacacs authentication stopped working. I went through the configuration settings and everything appears to be identical to another switch in this same building.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 Web Interface Not Working

Mar 31, 2011

We have a Cisco Access Control Server (TACACS+ version 5.1) with an additional 2 port NIC card. This produces 4 ports on the ACS server(G0 through G3).After initial setup of the ACS server with an IP address on G0, I connected a Windows 7server with IE8 to G0. The ACS web interface appears (after accepting certificate) and Ientered some user accounts and NDGs.I then connected the ACS server to a configured port with port-security on our 6500switch. The port becomes err-disabled since the MAC address does not match up. It appearsthat the onboard NIC on the ACS server is bonded thus producing the MAC address issue.To fix this connection issue, on the ACS server, I cleared out G0 and setup G2 (additiional NIC card) with the IP address. After connecting to the 6500 switch, the ACS server port works fine. I removed the connection to the 6500 and connected the Windows server to the ACS.I can ping the ACS server but the web interface is now unavailable unlike before. I do not get a certificate warning on IE, it just states that internet not available. On ACS, the 'show' status of acs shows all the processes are running and initialized. It has got me stumped as all I did was change NIC configurationon the ACS server.

View 8 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 And TACACS + Authentication From VPN?

Mar 4, 2012

I have a Cisco ASA (8.2) setup with remote access for my users using Cisco VPN client. The authentication is passed off to my ACS 5.3 which then checks with AD. What I've done so far is create Access Policy rule where I define specifically the Location and NDG where the ASA is and then a DenyAllCommands command set. This should pass authentications just fine but this also gives those users the ability to remote connect directly into the ASA and login successfully. Even though there is a Deny Commands there I still would prefer they get Access Denied as a message. If I do a Deny Access on the ShellProfile then this stops the login authentication altogether.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Cannot Authenticate AD For Tacacs ACS 5.0

May 24, 2011

I think i've got everything set up to authenticate against AD for Tacacs+ device logins.  When i check the logs, i see:"24408 User authentication against Active Directory failed since  user has entered the wrong password".  This leads me to believe that it is checking AD correctly, however if i enter the password correctly for the same AD user, there is no log at all...no pass, no fail.
 
If i look at the Tacacs debugs on the switch, i see the following:May 25 10:55:07.927 CDT: TAC+: ver=192 id=874699084 received AUTHEN status = ERRORMay 25 10:55:09.932 CDT: TAC+: send abort reason=Unknown

Obviously the switch is communicating to ACS, and ACS is passing info back to the switch.  ACS also appears to be communicating effectively with AD since it knows when i put in an incorrect password for the specific user.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: NCS TACACS+ With ACS 4.2 - Authentication / Authorization?

Sep 13, 2011

I tried to configure TACACS+ authentication / authorization for NCS via ACS 4.2. For that I followed the configuration guide:
 
1. Configured the service for NCS with HTTP (see attachment)
 
2. Added the tasks to the user (see attachment)
  
When I try to login on the NCS it fails, in the logs on the NCS I see the following lines:
 
09/14/11 16:53:03.333 TRACE [system] [http-443-7] [TACACS+ AAAModule] Creating authorization socket   - To Server:  192.168.49.14  - For User:  netadmin
09/14/11 16:53:03.335 TRACE [system] [http-443-7] [TACACS+ AAAModule] Sending authorization request packet  - To Server:  192.168.49.14  - For User:  netadmin
09/14/11 16:53:03.336 TRACE [system] [http-443-7] [TACACS+ AAAModule] Receiving authorization response packet  - From Server:  192.168.49.14  - For User:  netadmin

[code].....

View 7 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 - TACACS For Network Access

Feb 27, 2011

I found that TACACS should be available for network access with ACS 5.2:(url) But when I'm trying to create Rule tu allow PPP authentication against TACACS server I get error.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: To Configure MS ACS 4.1.1.23 To Allow Linux TACACS

Sep 20, 2011

I am running ACS 4.1.1.23 on a Microsoft server and I am trying to get TACACS to work with two Linux servers.  The servers are capable of TACACS, are using port 49 and have the correct shared secret.  I believe I do not have the devices configured properly on the ACS side.  These 2 servers currently are using RADIUS and we are getting bit by the bug where the ACS application will start rejecting RADIUS authentication requests but still accept TACACS requests.

View 6 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.x Tacacs Accounting Report

May 14, 2013

I am setting up reports for tacacs accounting on ACS 5.3.  However, accounting only seems to work after entering enable mode on the switch.  I would like to see all commands, even the enable command when in privlage 1 mode.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 - TACACS And JunOS Authorization?

Mar 4, 2012

I can get it to authenticate.  But I've read some posts on ACS 4.2 and authorization, but I don't find anything similar.I want to control down to what commands the authenticated user can run.  I want the defintion to come from the ACS server, or at least control it from the ACS server.  I want to minimize the changes on the JunOS side,but if it can't be easily done, I'll change the JunOS side.

View 10 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 / Tacacs Authorization Restrictions

Nov 14, 2012

ACS 5.3 configured with two rules, 1 rule for standard level 15 access for the Network Engineers and a 2nd rule to allow some limited access to switches: The limited access account has enough command set access to change the vlan on a switchport, so Configure Terminal, Interface FAx/x and switchport access vlan x.
 
Switch configuration:     
 
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa session-id common
 
Everything works well and the limited access users can only perform the commands i've setup.
 
Problem:The problem i've encountered is when one of the network engineers makes a change that would stop the device from being able to see the ACS server it stops allowing any commands to be typed in the router/switch. Additionally if you then connect to the device and login with the local username and password the device then waits for it to hit the TACACS server timeout for every command you enter. This is obviously very slow and painful for the engineer.
 
Question:Is there a way to set this up so the engineer logging in with full Level 15 access doesn't have to have each command authorized by the ACS server but still allow the limited access accounts to be able to make interface changes?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Switches TACACS Or RADIUS With ACS 4.2

Aug 14, 2011

So far i managed my switches with TACACS+, however now i've to deploy 802.1X, requiring RADIUS only. For what i know, ACS (i'm using 4.2) allows to define a device using only TACACS or RADIUS, but not both. Do i am right? Or there is a way to define an AAA client to communicate with the same ACS using both the protocols?
 
Supposing i am right, i was then considering the following options: - configure all of the switches to use radius for any service (authentication, authorization etc ec) This simplifies the task, but i lose the TACACS+ services for the switches. Is this a big loss?
 
- configure the L3 switches to use a second Loopback, just for RADIUS services. This would allow to still use the TACACS+ but would require a new network just for the RADIUS service; furthermore L2 switches doesn't support two IP addresses and would require anyway a migration to RADIUS.

A considerable administrative overhead, in other words. I'm not willing to deploy a second RADIUS (ACS, Windows, whatever), in this moment.
 
The key point is this: reading around i see Cisco documentation recommending always to use TACACS+ for management, but in this situation is not possibile. In general, every time the device has a role of network admission  (switch or access-point) RADIUS seems to be the protocol of choice. Moving to RADIUS would have some major drawback or only a change in the communication protocol? (I know the difference between TACACS+ and RADIUS: tcp vs udp, encryption of the whole packet vs encryption of only the password).

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 TACACS+ And Two Factor Authentication?

May 1, 2013

I want to setup two factor authentication via ACS 5.2 TACACS+ without having to use a token (such as that by RSA).  Is there a way to do it?
 
More info:
 
Users from unconnected AD domains will be connecting to the routers and switches.There is a certificate server available to generate certificates.SSHv2 is the current login protocol.

View 5 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Tacacs Authorization Logs?

Jan 15, 2012

Noticed tacacs authorization logs when you change password for a user ?? in authorization logs I can see the new password but same I can not see in accounting logs ? is it a normal behaviour ?? or do we need to do something to hide the password in authorization logs ?
  
For example if i type command username xyz priv 15 secret cisco 123
 
I see this command in accounting logs as uername xyz oriv 15 secret *** where as in tacacs authorization logs it shows username xyz priv 15 secret cisco 123

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ASA5545 - Allow Tacacs Authentication

May 14, 2013

I am trying to access an ASA 5545 using TACACS+.  I have the ASA configured as follows:

aaa-server tacacs+ protocol tacacs+
aaa-server tacacs+ (inside) host 10.x.x.x
[code]....
 
I have added the ASA in ACS with the correct IP and the correct key. When I try to test the authentication via test aaa-server authentication tacacs+ host 10.x.x.x username Cisco password Cisco, I get:
 
ERROR: Authentication Server not responding: No error.

View 20 Replies View Related

Cisco AAA/Identity/Nac :: 2950 Cannot Get To Work With TACACS

Mar 8, 2012

I have several 2950 switches that I cannot get to work with TACACS.  I'm using the same config for these that I am using for other cisco switches. [code]

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Setting Up ACS 5.2 TACACS Authentication With JUNOS?

Aug 6, 2012

I have ACS 5.2 and JUNOS 10.6.x  I setup 2  classes eng-class and ops-class  with read/write and read-only permission here is my configuration on JUNOS
 
set system login class eng-class idle-timeout 15
set system login class eng-class permissions all
set system login user engineer full-name “Regional-Engineering”
set system login user engineer uid 2001
set system login user engineer class eng-class
set system login user engineer authentication plain-text-password xxxxxxx

[code]....
 
I have 2 separate Authorization policies for engineer and operator group.Result,

1.  engineering group is working fine.

2.  the operator group its not working im unable to login to device under this group "authentication failed" but on the ACS logs its successfully authenticated.

3.  Web authentication is not also working for bot group.

View 14 Replies View Related

Cisco AAA/Identity/Nac :: Stop Radius / Tacacs Service In ACS 5.2?

Jul 11, 2011

IS there a way to stop the Radius/Tacacs service in ACS 5.2 from the GUI ?

View 6 Replies View Related

Cisco AAA/Identity/Nac :: W2003 / ACS Tacacs Authentication Failed

Jun 27, 2012

we have a ACS server V4 installed on W2003 server ,when we make a telnet to an equipement on the wan the authentication pass on the first connexion ,but when we telent to a switch on the lan the first connxion fails and we need to retry to login .when i check the  field attempt log on the ACS i dont find the field attempt.i find this issue in ALL switch on the LAN ,from the switch i can ping the the ACS server .this problem appear frequently?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: 5540 TACACS+ Accounting Commands

Aug 30, 2011

I've set up my 5540 ASA to accounting commands on TACACS+.Every moviment done through ASDM is logged on TACACS+ by this form: cmd=perfmon interval 10.What does that mean?Why doesn't it record the exaclty command I'd issued?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Slow CLI Response After Implementing TACACS

Sep 30, 2012

After implementing TACACS, one of our routers takes about 8 seconds to response to any CLI command. We have no problems with other devices in the same location with the same AAA configuration. The router is talking to the ACS server (ACS 5.3) and the logs on the ACS server look normal for the router as well.

View 5 Replies View Related

Cisco AAA/Identity/Nac :: Juniper JWEB Authentication Via TACACS To ACS 5.1?

Dec 20, 2009

Having an issue with authenticating Juniper J Series and SRX devices with ACS 5.1 The devices can authenticate using TACACS to ACS 5.1 via the CLI (telnet / ssh connections) but cannot using the JWEB management page.Doing packet captures between the Juniper devices and the ACS 5.1 box shows the Authenticate phase passing, but it does not progress onto the Authorisation phase.  There is nothing of interest in the ACS Logs (Even with the debugging levels turned right up) The same Access service is in use for both the CLI and GUI (JWEB).Using ACS 4.1, both CLI and JWEB authentication works.[URL]I'm thinking the issue is with ACS 5.0 / 5.1 and it maybe not liking the response from the Juniper (even though it should be the same mechanism)

View 6 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Authentication Against Microsoft AD / TACACS Authorization

Feb 2, 2013

I am trying to configure ACS 5.2 to do all authentication against Microsoft AD, but use local identity groups to determine TACACS+ authorization. 

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Load Balancing - TACACS+ NAS IP Address?

Jun 26, 2012

I'm currently evaluating a scenario where AAA request are load balanced across multiple ACS 5.3 instances. The application delivery controller runs in L3 mode, which naturally causes the original packet's source IP address to be replaced by a randomly selected proxy address.As far as RADIUS is concerned, I can perfectly determine the originating NAS by means of a 'Device Filter' condition. Unfortunately, ACS seems to lack the possibility of achieving the same for TACACS+. According to the user manual, only the actual IP address from the received packet is taken into account. I've also come across the 'NAS-Address' attribute in the protocol dictionary, but it can't be used in a custom condition either.how to retrieve the initial device IP address from a TACACS+ request in order to use it for further policing?

View 8 Replies View Related

Cisco AAA/Identity/Nac :: TACACS Nexus 5548 Authorization?

Jan 3, 2012

I am having an issue with authorization on the Nexus 5548. Note: The tacacs configuration has and still works correctly with all non-Nexus gear.
 
Authentication succeeds, and initiatial authorization passes. However, all sh and config commands fail, though AAA Autho Config-Commands .... and Commands Default Group <Grp Name), are configured.
 
ACS generates the following error: 13025 Command failed to match a Permit rule. The Selected Command Set is DenyAllCommands. I created an AllowAll, but am unclear how to associate this with Access Policy.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 / TACACS Proxy - No Source NAS IP Address

Aug 1, 2012

i would like to use the ACS 5.3 as TACACS Proxy. Basically it works. But when checking the logs on the destination TACACS Server (ACS 4.2) i see that all requests (Source-NAs) came from the IP of the TACACS-Proxy. Not from the original source IP.
 
This is useless for my scenario, because on the destination TACACS Server the policies are built on the NetworkDevices Groups and AAA Clients = source IPs.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: How To Configure User Authentication Via TACACS On UCS 1.4 With ACS 5.2

Aug 18, 2011

how do i configure user authentication via TACACS on UCS 1.4 with ACS 5.2?  My TACACs connection works, and my user authentication is successful, but i can only get read-only rights.  I have tried several versions of "cisco-av-pair= role=admin" both as mandatory attributes named role and as cisco-av-pair=role , with "admin" as the value, and i still get read-only.
 
When i attempt to find any documentation, it only describes ACS 4.2, which is another problem i have with most documentation for new cisco products (i have this exact issue with my NAMs, nothing i do to change the attributes results in successfully logging into the NAM, and all config guides are written in 4.2 speak).
 
is there any possiblity cisco is going to release some documentation on how to convert 4.2 speak to 5.2 speak?

View 8 Replies View Related

Cisco AAA/Identity/Nac :: 5510 - How To Enable Password When Using Tacacs+

Jul 10, 2012

I have been experimenting with acs 4.2 and  a cisco asa 5510. I have managed to authenticate the ASA users with my tacacs server. The user "test" is authenticated with the tacacs server, and can log in. But the enable password is wrong, because i dont know where to place it in the tacacs server.
 
Now my question is, where do i set my enable password when authenticatig with tacacs+. And for this i mean in the acs 4.2, i know how to do it on the asa.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Radius For ASA VPN Quits When Tacacs Is Also Selected

Sep 2, 2011

Our ACS 5.2 is authenticating ASA VPN users with Radius. I would like to use the ACS to authenticate ASA administrator logins with Tacacs. When I modify the ASA Network Device by checking the Tacacs box in addition to the Radius box, ASA VPN authentication stops. Running original 5.2 without any patches on ESX. platform. I thought 5.2 supports radius and tacacs on the same device?
 
On subsequent tests found that just opening the ASA Network Device and closing the window will also stop the ASA RADIUS from working. Logs don't show any attempt by the ASA to connect and I'm sure that's wrong. To fix it, I reselect all ACS policy items and save the same settings. Sounds like a bug? 

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Juniper Netscreen Integration In ACS 5.1 Tacacs

Oct 21, 2011

I wants to inegrate Juniper netscreen firewall in Tacacs Cisco Acs 5.1.As I go through Juniper KB which mentioned that I need to enable Netscreen Service in Cisco ACS 5.1. how to enable Netscreen service in Cisco Acs 5.1 and how I got Further to integrate Juniper Netscreen Device in Cisco cs 5.1

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Configuring WLC 4402 TACACS+ Authentication Using ACS 5.0

Aug 22, 2009

We added AAA client in the Cisco ACS 5.0 for WLC 4402 (TACACS+ Authentication) and configured WLC 4402 to use TACACS+ authentication for the management access. We can't get this work for some reasons.
 
Other Cisco routers and switches all worked fine with TACACS+ authentication. This is a TACACS debug output from the WLC;
 
Sun Aug 23 16:19:06 2009: tplus response: type=1 seq_no=2 session_id=f59bbf0b length=15 encrypted=0
Sun Aug 23 16:19:06 2009: TPLUS_AUTHEN_STATUS_GETPASS

[Code].....

View 24 Replies View Related

AAA/Identity/Nac :: Command Authorization Failed In TACACS With ACS 4.2

Feb 2, 2012

We have a group in TACACS ACS4.2.  I configure it can do show command. When logged, it can do show command some parameters, like show ip interface, but it cannot do show running-config. it says "command authorization failed".

View 2 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved