Cisco AAA/Identity/Nac :: NCS TACACS+ With ACS 4.2 - Authentication / Authorization?
Sep 13, 2011
I tried to configure TACACS+ authentication / authorization for NCS via ACS 4.2. For that I followed the configuration guide:
1. Configured the service for NCS with HTTP (see attachment)
2. Added the tasks to the user (see attachment)
When I try to login on the NCS it fails, in the logs on the NCS I see the following lines:
09/14/11 16:53:03.333 TRACE [system] [http-443-7] [TACACS+ AAAModule] Creating authorization socket - To Server: 192.168.49.14 - For User: netadmin
09/14/11 16:53:03.335 TRACE [system] [http-443-7] [TACACS+ AAAModule] Sending authorization request packet - To Server: 192.168.49.14 - For User: netadmin
09/14/11 16:53:03.336 TRACE [system] [http-443-7] [TACACS+ AAAModule] Receiving authorization response packet - From Server: 192.168.49.14 - For User: netadmin
[code].....
View 7 Replies
ADVERTISEMENT
Feb 2, 2013
I am trying to configure ACS 5.2 to do all authentication against Microsoft AD, but use local identity groups to determine TACACS+ authorization.
View 1 Replies
View Related
Mar 4, 2012
I can get it to authenticate. But I've read some posts on ACS 4.2 and authorization, but I don't find anything similar.I want to control down to what commands the authenticated user can run. I want the defintion to come from the ACS server, or at least control it from the ACS server. I want to minimize the changes on the JunOS side,but if it can't be easily done, I'll change the JunOS side.
View 10 Replies
View Related
Nov 14, 2012
ACS 5.3 configured with two rules, 1 rule for standard level 15 access for the Network Engineers and a 2nd rule to allow some limited access to switches: The limited access account has enough command set access to change the vlan on a switchport, so Configure Terminal, Interface FAx/x and switchport access vlan x.
Switch configuration:
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa session-id common
Everything works well and the limited access users can only perform the commands i've setup.
Problem:The problem i've encountered is when one of the network engineers makes a change that would stop the device from being able to see the ACS server it stops allowing any commands to be typed in the router/switch. Additionally if you then connect to the device and login with the local username and password the device then waits for it to hit the TACACS server timeout for every command you enter. This is obviously very slow and painful for the engineer.
Question:Is there a way to set this up so the engineer logging in with full Level 15 access doesn't have to have each command authorized by the ACS server but still allow the limited access accounts to be able to make interface changes?
View 1 Replies
View Related
Jan 15, 2012
Noticed tacacs authorization logs when you change password for a user ?? in authorization logs I can see the new password but same I can not see in accounting logs ? is it a normal behaviour ?? or do we need to do something to hide the password in authorization logs ?
For example if i type command username xyz priv 15 secret cisco 123
I see this command in accounting logs as uername xyz oriv 15 secret *** where as in tacacs authorization logs it shows username xyz priv 15 secret cisco 123
View 1 Replies
View Related
Feb 2, 2012
We have a group in TACACS ACS4.2. I configure it can do show command. When logged, it can do show command some parameters, like show ip interface, but it cannot do show running-config. it says "command authorization failed".
View 2 Replies
View Related
Jan 3, 2012
I am having an issue with authorization on the Nexus 5548. Note: The tacacs configuration has and still works correctly with all non-Nexus gear.
Authentication succeeds, and initiatial authorization passes. However, all sh and config commands fail, though AAA Autho Config-Commands .... and Commands Default Group <Grp Name), are configured.
ACS generates the following error: 13025 Command failed to match a Permit rule. The Selected Command Set is DenyAllCommands. I created an AllowAll, but am unclear how to associate this with Access Policy.
View 1 Replies
View Related
Nov 5, 2011
provide a sample configuration to use Cisco Secure ACS 4.2 to enable command authorization using TACACS.
View 8 Replies
View Related
Jan 3, 2012
While working in a 3560 all of a sudden I received the message "command authorization failed" while trying to issue certain commands.
It appears I lost my priv 15 authorization. We have seen this before, we do not have access to the ACS to trouble shoot the issue.I tried logging in a 2nd and 3rd time using tacacs and received the same error whenever I issued a command such as dir flash: , copy tftp flash or show run. At the time I was trying to copy IOS to the switch, I had a co-worker log in and it was fine for him and he completed the copy.
Once completed I logged back in and all was fine again. We suspect an issue with ACS? possibly a timeout of our TACACS authorization ?
View 1 Replies
View Related
Apr 5, 2011
1 ) : Is it possible to do authentication with one ACS server while authorization with another ACS? Use case is if the user authenticated to one ACS server and then switch loses the connectivity to this ACS. Now command authorization requests will go to another ACS server since switch is not able to communicate to the 1st ACS.
2): How can the local database sync be acheived in distributed ACS deployments?
3): Are the accounting records are sync between different ACS? In other words can accounting be centeralised with ACS4.2
View 1 Replies
View Related
Mar 4, 2012
I have a Cisco ASA (8.2) setup with remote access for my users using Cisco VPN client. The authentication is passed off to my ACS 5.3 which then checks with AD. What I've done so far is create Access Policy rule where I define specifically the Location and NDG where the ASA is and then a DenyAllCommands command set. This should pass authentications just fine but this also gives those users the ability to remote connect directly into the ASA and login successfully. Even though there is a Deny Commands there I still would prefer they get Access Denied as a message. If I do a Deny Access on the ShellProfile then this stops the login authentication altogether.
View 2 Replies
View Related
May 1, 2013
I want to setup two factor authentication via ACS 5.2 TACACS+ without having to use a token (such as that by RSA). Is there a way to do it?
More info:
Users from unconnected AD domains will be connecting to the routers and switches.There is a certificate server available to generate certificates.SSHv2 is the current login protocol.
View 5 Replies
View Related
May 14, 2013
I am trying to access an ASA 5545 using TACACS+. I have the ASA configured as follows:
aaa-server tacacs+ protocol tacacs+
aaa-server tacacs+ (inside) host 10.x.x.x
[code]....
I have added the ASA in ACS with the correct IP and the correct key. When I try to test the authentication via test aaa-server authentication tacacs+ host 10.x.x.x username Cisco password Cisco, I get:
ERROR: Authentication Server not responding: No error.
View 20 Replies
View Related
Oct 24, 2011
I set up LDAP store pointing to a Windows domain and am testing authenticating users via an ASA. In my LDAP config, its set for "Groups Objects refer to subjects" and I selected usernames in the drop down. I also added a a Global Group to the Directory groups tab in the LDAP store that I created.
Under my Access Polices, I created a rule that meets two condititons - coming from the ASA, and then I was able to select the group from the drop down box for my ldap domain. As a condition, it shows up as DomainName:External Groups. I set the permission to Permit Access.
Originally, I was failing authentication and I was receiving Subject Not Found in Store. I adjusted the Identity Sequence and now I receive a the following error:
15039: Selected Authorization Profile is Deny Access. So it must not be associating my account with the group with the Permit Access and using the Default Permissions.So it does match the correct Access Service, and Identity Store.
View 1 Replies
View Related
Aug 6, 2012
I have ACS 5.2 and JUNOS 10.6.x I setup 2 classes eng-class and ops-class with read/write and read-only permission here is my configuration on JUNOS
set system login class eng-class idle-timeout 15
set system login class eng-class permissions all
set system login user engineer full-name “Regional-Engineering”
set system login user engineer uid 2001
set system login user engineer class eng-class
set system login user engineer authentication plain-text-password xxxxxxx
[code]....
I have 2 separate Authorization policies for engineer and operator group.Result,
1. engineering group is working fine.
2. the operator group its not working im unable to login to device under this group "authentication failed" but on the ACS logs its successfully authenticated.
3. Web authentication is not also working for bot group.
View 14 Replies
View Related
Jun 27, 2012
we have a ACS server V4 installed on W2003 server ,when we make a telnet to an equipement on the wan the authentication pass on the first connexion ,but when we telent to a switch on the lan the first connxion fails and we need to retry to login .when i check the field attempt log on the ACS i dont find the field attempt.i find this issue in ALL switch on the LAN ,from the switch i can ping the the ACS server .this problem appear frequently?
View 1 Replies
View Related
Dec 20, 2009
Having an issue with authenticating Juniper J Series and SRX devices with ACS 5.1 The devices can authenticate using TACACS to ACS 5.1 via the CLI (telnet / ssh connections) but cannot using the JWEB management page.Doing packet captures between the Juniper devices and the ACS 5.1 box shows the Authenticate phase passing, but it does not progress onto the Authorisation phase. There is nothing of interest in the ACS Logs (Even with the debugging levels turned right up) The same Access service is in use for both the CLI and GUI (JWEB).Using ACS 4.1, both CLI and JWEB authentication works.[URL]I'm thinking the issue is with ACS 5.0 / 5.1 and it maybe not liking the response from the Juniper (even though it should be the same mechanism)
View 6 Replies
View Related
Aug 18, 2011
how do i configure user authentication via TACACS on UCS 1.4 with ACS 5.2? My TACACs connection works, and my user authentication is successful, but i can only get read-only rights. I have tried several versions of "cisco-av-pair= role=admin" both as mandatory attributes named role and as cisco-av-pair=role , with "admin" as the value, and i still get read-only.
When i attempt to find any documentation, it only describes ACS 4.2, which is another problem i have with most documentation for new cisco products (i have this exact issue with my NAMs, nothing i do to change the attributes results in successfully logging into the NAM, and all config guides are written in 4.2 speak).
is there any possiblity cisco is going to release some documentation on how to convert 4.2 speak to 5.2 speak?
View 8 Replies
View Related
Aug 22, 2009
We added AAA client in the Cisco ACS 5.0 for WLC 4402 (TACACS+ Authentication) and configured WLC 4402 to use TACACS+ authentication for the management access. We can't get this work for some reasons.
Other Cisco routers and switches all worked fine with TACACS+ authentication. This is a TACACS debug output from the WLC;
Sun Aug 23 16:19:06 2009: tplus response: type=1 seq_no=2 session_id=f59bbf0b length=15 encrypted=0
Sun Aug 23 16:19:06 2009: TPLUS_AUTHEN_STATUS_GETPASS
[Code].....
View 24 Replies
View Related
Jan 5, 2012
ACS 5.1 is failing to authenticate tacacs authentication to the ASA firewall, getting
View 6 Replies
View Related
Mar 15, 2010
I've been configured my device 6506-9 with TACACS+ server authentication: [code]
but when I tried to access the device only uses authentication local but not uses TACACs (with username/password defined) it can be an error in configuration? in the other devices of network this works properly, only it's wrong in Cat6506-E
View 6 Replies
View Related
Aug 26, 2010
My switches are able to successfully authenticate user access against ACS 5.1 via SSH with TACACS+, but I am not able to authenticate via HTTPS with TACACS+. I don't even get a log in ACS when attempting to authenticate via HTTPS.
Here is my AAA config, followed by a debug:
aaa new-modelaaa authentication login ACCESS group tacacs+ localaaa authorization consoleaaa authorization config-commandsaaa authorization exec ACCESS group tacacs+ aaa authorization commands 1 Priv1 group tacacs+ none
[Code]......
View 8 Replies
View Related
Dec 5, 2012
I successfully authenticate through ACS to my Identity Store, but only get dropped into a non-enable prompt: ciscoasa> How can I get an Authenticated user directly into enable mode?
View 3 Replies
View Related
Jun 6, 2011
I am experiencing an issue where NX-OS on our 5010s is allowing both Local AND TACACS authentication concurrently. If I don't configure any aaa authorization commands, the locally logged in user has unmitigated access to the device. Once I enable aaa authroization, all commands issued by the locally logged in user are denied by ACS, but they can still log in to the device. When I comb through the logs on the ACS server, I see successful logins when TACACS credentials are used, and also the failed attempts when the locally configured credentials are used. On the switch, however, I receive "%TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond" when using locally configured credentials on the switch itself. We are running ACS v4.2.
View 6 Replies
View Related
Jul 25, 2011
We have a Catalyst 3750 switch that failed over to local login after the Tacacs authentication stopped working. I went through the configuration settings and everything appears to be identical to another switch in this same building.
View 4 Replies
View Related
Dec 5, 2011
I'm looking for Cisco ISE v1.1 to use the following licensing feature. url...Endpoint is dynamically profiled by Cisco ISE and assigned dynamically or statically to an endpoint identity group. Cisco ISE authorization rules do not use this endpoint identity group.
View 2 Replies
View Related
Jan 17, 2012
I would like to configure RADIUS authentication and authorization in ASA 8.2 (ADSM 6.2) by configuring Cisco anyconnect VPN client connection profile.So the end result would be user enters his username, password and a token in any connect client, then the RADIUS server validates this information and sends the user attributes to ASA upon successful authentication.I would be grateful if i can get the step by step procedure to achieve this:The below is what iam trying to do:
1) Create an AAA server group.
2) Add the AAA server to this group (here its RADIUS).
3) create an LDAP-cisco ASA group mapping (for authorization)
3) Add a group policy and create IP pool. (We can add two types of group policies, one is internal and external. Not sure which one to select here).
4) create a any connect vpn client connection profile. Here we specify the created server group name, IP pool and group policy.(While creating a connection profile, it asks us to select an interface. As of now i have only one interface which is "inside". Not sure what the interface "outside" means).
View 5 Replies
View Related
Mar 25, 2011
How to be able to locate a sample, working configuration of tacacs+ authentication on the ASA5510?
View 2 Replies
View Related
Jan 4, 2011
I'm trying to get user authentication backed off to ACS 5.1, I've got it working but not the way I'd like. This is using the TACACS settings not ACS mode.I've created a local user in CW and assigned it to the correct roles, then created a user in ACS with the same name and a different password and this works fine.My question is can I set the roles on the TACACS server using a shell profile/custom attributes. All the documentation I can find is for ACS v4?
View 15 Replies
View Related
Feb 17, 2012
All ip's and any identifying numbers have been change to protect.
I have a 6500 series switch that for some reason will not authenticate to the tacacs server. When you try, you get a password authentication failure. However, it will let you use the configured username and secret to log in thru ssh. And the enable secret to get into privileged mode. Tacacs key is correct, btw.we will call the server vlan 300 and the admin vlan 400.the tacacs source interface is in vlan 400 and the tacacs server is in vlan 300.
I can ping the tacacs server via the switch, but when i use the source cmd with the ip address of the admin interface vlan, ping will not work. I changed the tactics source interface to vlan 300 (the server vlan) and authentication with the tacacs server works fine. ip routing is turned on. There are entries for both the server vlan subnet and the ad-min vlan subnet in the routing table. There are only standard access-lists, and none of them are blocking packets from getting to the tacacs server via the admin vlan.
I could just leave the source interface on the int vlan for the servers, but I would like to find out why this isn't working. I have 1 other 6500 switch on a different network that is configured exactly the same (except for ip's, keys, and vlans) and am not having any issues with that LAN. I also have 6 other 3700 switches on the network that Im having an issue with, and none of them are having issues with authentication.
View 1 Replies
View Related
Jul 12, 2012
I want to configure managment-access authentication to the WCS via tacacs+. The AAA Server is Cisco ACS 5.2.I made it and it works, but only with PAP Authentication Type. Chap doesn't work 4 me.The Access Service is configured with allowed protocols PAP and CHAP.The ACS Monitor just display an error with these steps:Received TACACS+ Authentication START Request
View 1 Replies
View Related
Dec 27, 2012
We are using Cisco ACS server Version : 5.3.0.40.6. Our tacacs appliances are crashing on AD authentication on a fairly regular basis. I have been searching Cisco.com to see whether we are on the latest version or not however I couldn't find anything lattest than what we are currently using. Are we on the latest version?
View 1 Replies
View Related
Sep 12, 2011
Is there a decent guide on how to configure ACS5.2 for TACACS management authentication of WCS?
View 2 Replies
View Related
