Juniper SSG TACACS+ Integration with ACS 5

Hi,
I'm working on TACACS+ integration on Juniper SSG firewall with ACS 5, but failed login on the SSG. After checked the log on ACS, it passed the authentication. Do I need to import any dictionary file on the ACS 5 first?
Please advice,
Cheers,
Ryan

I was able to config SSG authenticate using RADIUS.  In order to work with RADIUS, I have to create RADIUS dictionary using netscreen dictionary found @ Juniper.  Attach the dictionary.
I'm not sure how to import, but I create the dictionary manually.

Similar Messages

  • LMS PRIME 4.2 integrating with ACS 4.2

    Hello,
    i would like to integrate new lms prime 4.2 with acs.4.2 . .. !!
    is there document or user guide for this version of lms?
    Thanks in advance.
    Marwan

    IN LMS 4.2 there is nothing which is known as Integration (like LMS 3.x), since it added feature RBAC.
    Now ACS can just be used as PAM to have ciscoworks authenticated for Tacacs+ or Radius. After the auth is done, you should have a authorization set in LMS locally for user, else it will be given a default HELP DESK access.
    For more details check :
    Authentication Using Login Modules - Overview
    -Thanks

  • Cisco Prime NCS integration with ACS 5.1

    Hello,
    We've an issue with authorization on NCS system. NCS successfully integrated witch ACS, but there is a problem with one user. All users have equivalent rights under root. There is shell profile with all possible tasks (exported from NCS server) configured on ACS. All users exept this one (unlucky one:)) authorizes successfully.  In  ACS logs, authentification and authorization status for this user is passed and all attributes (policy, profile, AV-pairs e.t.c.) is the same as for another users. This 'unlucky' user gets a following message:
    There is surely no browser or network issue. Tried from different PCs with same result. There is no any local info related to this username on the NCS server. When i change one charecter in the username on his ACS account, everything works well. What could be a possible reason of this behaivour?  Thanks!
    Our ACS v
    Version 5.1.0.44.X
    And NCS
    Version : 1.1.2.X

    this question should be moved to the Security > AAA forums as this sounds more like an ACS issue than NCS.
    HTH,
    Steve
    Please remember to rate useful posts, and mark questions as answered

  • Cisco Works LMS 3.1 Integration with ACS v5.2

    Hello Experts,
    our customer has a working integration with the Cisco Works LMS 3.1 and an ACS v3.3 as it is described in this document:
    http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_white_paper0900aecd80613f62.html
    Now we are changing the old ACS Servers to the new ACS v5.2 platform. Is it possible to integrate the LMS to the new ACS Server? We want to use a granular user access restriction for SuperAdmins, Hotline Users an so on...
    Thanks,
    Florian

    Hi Florian,
    actually the ACS 5.2 is not supported in CS 3.2
    here is a list of the supported ACS servers under LMS 3.1
    http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_common_services_software/3.2/user/guide/admin.html#wp865998

  • Prime NCS: TACACS+ Integration into ACS 5.1

    Hello,
    i'd like to integrate TACACS+ Integration into NCS.
    I configured my ACS 5.1 correctly, but I get an "Access is denied to NCS" at the web login page. In the ACS i see a successful authentication.
    Any ideas?
    regards
    Alex
    Here is my Shell Profile Configuration

    I finally could log in, but not the default Ambassador view.
    Thats really strange. Here is the authorization result from my ACS server.
    {Type=Authorization; Author-Reply-Status=PassAdd; AVPair=role0=Lobby Ambassador; AVPair=task0=GLOBAL; AVPair=task1=Lobby Ambassador User Preferences; AVPair=task2=Basic; AVPair=task3=Configure Guest Users; AVPair=task4=Check License; AVPair=virtual-domain0=ROOT-DOMAIN; }

  • Tacacs+ problem with ACS 5.2

    I am new with ACS server 5.2 can someone please help me before I bang my head on the wall. I have configured the ACS server 5.2 but still cannot authenticate users. The router can ping the ACS server. With debugging I got the following error message:
    Switch#
    6d07h: TAC+: Using default tacacs server-group "tacacs+" list.
    6d07h: TAC+: Opening TCP/IP to 110.7.111.8/49 timeout=5
    6d07h: TAC+: TCP/IP open to 110.7.111.8/49 failed -- Connection timed out; remote host not responding
    6d07h: TAC+: Opening TCP/IP to 110.7.111.7/49 timeout=5
    6d07h: TAC+: TCP/IP open to 110.7.111.7/49 failed -- Connection timed out; remote host not responding
    6d07h: TAC+: send AUTHEN/START packet ver=192 id=3004581909
    6d07h: TAC+: Using default tacacs server-group "tacacs+" list.
    6d07h: TAC+: Opening TCP/IP to 110.7.111.8/49 timeout=5
    6d07h: TAC+: TCP/IP open to 110.7.111.8/49 failed -- Connection timed out; remote host not responding
    6d07h: TAC+: Opening TCP/IP to 110.7.111.7/49 timeout=5
    6d07h: TAC+: TCP/IP open to 110.7.111.7/49 failed -- Connection timed out; remote host not responding
    Your kind help will be highly appreciated.

    Did you add the switch as AAA client in ACS box? Make sure you use the correct switch IP when adding it in ACS.
    YOu can go to "monitoring and Report" on ACS to check the log to see what happened.

  • All the devices not showing after CSM integration with ACS

    Hi all
    I integrated ACS with CSM and added all the security devices into ACS as client devices.But after integration with with ACS only few devices are shown in the CSM when i logged in as super admin.for all other users (system admin,network operator etc.),no devices are shown in the CSM.Please give me a solution to solve this.

    Did you have devices already in CSM when you integrated it into ACS ? Did you make sure that the hostname of the devices is exactly the same in acs and csm ?

  • LMS 3.2 integration with ACS 5.1

    Hi
    Is it
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin-top:0cm;
    mso-para-margin-right:0cm;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0cm;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;
    mso-fareast-language:EN-US;}
    possible to integrate LMS 3.2 with ACS 5.1? I know it works with ACS 4.X, but I can't get it to work with ACS 5.1.
    Here is a link to how to do it with ACS 4.X:
    http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_white_paper0900aecd80613f62.html
    Regards
    Reidar

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin-top:0cm;
    mso-para-margin-right:0cm;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0cm;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    Thanks Reidar.... hmm very strange. I really wish an expert would respond to this thread as it will help a lot of people who might be planning to deploy these versions and they can help put this matter to rest once and for all. Not sure why LMS 3.2 will not support ACS 5.1 and it might help to know when it will (updates etc). Kindly let me know if you get any further information. My deployment is so large that setting a local username and password on all the devices is not an option unfortunately .......

  • MARS 5.2.7 integration with ACS 4.1

    Hello
    I cannot find any documentation I can follow to integrate MARS with ACS. I mean I want to use ACS to authenticate user in MARS.
    Any of you know if MARS 5.2.7 has this feature? If yes can please give some info where to find docs?
    Thank you really much
    Best regards Antonello.

    HI ,
    LMS 4.0 no longer integrates with ACS the way that LMS 3.x did.  You  can still use ACS for authentication in LMS 4.0, but for authorization,  each user must have a local account in LMS, and the roles will be  assigned using LMS 4.0's new RBAC.  Users are defined under Admin >  System > User Management > Local User Setup, and roles are defined  under Admin > System > User Management > Role Management  Setup.
    By default, if a user does not have an account in LMS, they will receive the Help Desk role
    Please check the below link:
    http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.2/user/guide/admin/security.html#wp1100379
    Thanks-
    Afroz
    [Do rate the useful post]

  • LMS 3.1 Slow after integrating with ACS

    Dear All, have any one faced issue of slowness after integrating LMS3.1 with ACS4.2. I dont know how can I resolve this issue. Is there any patch to resolve it...
    Any kind of help will be very helpful.

    I'm using LMS 3.2 into ACS 4.0 and it actually seemed a bit faster after ACS integration. Nothing I measured but subjectively it seems faster. Both my servers are on Windows and the ACS is across the WAN from my CiscoWorks.
    How do your devices fare with their ACS? You can debug tacacs at the router/switch level as one tool. I'm sure one of the cisco guys on here will point you to one of the many logs that LMS generates, possibly with debugging activated, to dig deeper there also.

  • Tacacs problem with ACS 4.2 NDG and shell authorization sets

    Hi all,
    I am trying to solve this problem without success so far. I have fresh ACS 4.2.15 patch 5 ACS installation and I am tryng to deploy it to our environment. So I have configured one 2960S to be my test client and everything works fine. Problem is when I try to create fine grained policies using network device groups and shell authorization sets.
    I have created shell authorization sets called ReadOnly and FullAccess. I have also created NDG called FloorSwitches and added my 2960. I have 2 user groups called FloorSwitchesReadOnly and FloorSwithcesFullAccess. Now, if I configure group FloorSwitchesFullAccess and assign Shell command authorization set per NDG and then log into the switch, all of my commands are refused as unauthorized.
    One thing that I have noticed is that if I assign shell command authorization set to any device ( in user group settings ) it works fine. Or if I create association with DEFAULT NDG in user group it also works. So my conclusion is that ACS for some reason does not associate my switch with correct group but rather puts it to DEFAULT group for some reason.
    Did anyone had similar problem or is there something that I am doing in a wrong way? Is there another way to achieve such thing without using NDG's?
    Thanks everyone....

    Please upgrade to patch 6, there is a bug in patch 5 and you can check the release notes or the readme for more information.
    What is your user setting set to while you are testing command authorization, did you set it back to the group setting?
    Thanks,
    Tarik Admani

  • Cisco Security Manager integration with ACS

    Has anybody got this working yet.
    I have tried but as yet have been unsucessful in registering csm with the ACS server.
    I am following the the instructions however, nothing seems to work all i get is failed to registar.
    Any help would be appreciated
    Regards
    Jason

    Check out this link...
    http://www.cisco.com/en/US/products/ps6498/prod_troubleshooting_guide_chapter09186a00806e23e3.html

  • Ciscoworks 3.2 login issue with ACS

    Hi All,
    I am facing an issue with login into Ciscoworks portal from the LMS server, which is integrated with ACS tool.
    Now I am unable to login to the portal with the username and password, which is already configured in the ACS server.
    I have ended up with reinstalling the ciscoworks software and restored the backup, still problem persists. Please let me know how to fix it.
    If I again reinstall it, how would I restore the backup - since back restoration again gives the login issue.
    If Im using only the dcrcli exported devices list after the reinstallation, all the devices gets stuck in DFM question status, hence I restored the proper backup. Now I am stuckup. please help.

    You need to sort out your DNS get the lookup and reverse lookup working.
    Say your device is a box with
    Fa 0/0 10.10.1.1
    Lo 0    172.32.1.1
    If you get you dns to resolve the address of port Fa 0/0  (10.10.1.1)  to the DNS "name adevice.yournetwork.com".
    Next you get your DNS to resolve the name "adevice.yournetwork.com" to 172.32.1.1 with happens to be to Lo0 interface of the device
    Then you can get LMS to use the address you want as it is configured in DNS
    Cheers,
    Michel

  • Juniper SSG 20 optical interface connection to Cisco 4506

    Let me post the same issue to the Optical forum too:
    Hello,
    Here's the problem.
    There's one Juniper SSG 20 firewall with JX-SFP-1GE-SX multimode fiber interface (850nm) (which I can control) and I have to connect it to Cisco 4506 switch which has WS-X4306-GB module and WS-G5484 GBIC interface (also multimode fiber).
    SSG 20 shows link up. Cisco shows link down.
    Unfortunatelly I don't have Cisco 4506 to play with, but I have to find solution for this system. Cisco 4506 show version is:
    #show version
    Cisco IOS Software, Catalyst 4000 L3 Switch Software (cat4000-I9K91S-M), Version 12.2(25)EWA9, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc.
    Compiled Wed 21-Mar-07 12:20 by tinhuang Image text-base: 0x10000000, data-base: 0x115C6158
    ROM: 12.2(31r)SGA1
    Dagobah Revision 226, Swamp Revision 34
    XXXXXXX uptime is 3 weeks, 1 day, 3 hours, 20 minutes System returned to ROM by reload System restarted at 13:19:45 CEST Mon May 19 2008 System image file is "bootflash:cat4000-i9k91s-mz.122-25.EWA9.bin"
    I was able to replicate issue with Cisco 3524 swtich (SSG20 shows link up, Cisco link down, physical down), and solution that I found was to enter interface level command: (config-if)#no negotiation auto. After this command, everything was showing state as "UP" and working as expected (there was traffic going through the optic)
    When I suggested this command as a solution, administrator from the other side was claiming that this command returns "invalid input detected at ^ marker".
    Can anyone tell me is there any known issue between those two products, and maybe alternative to this command, so I can turn off this IEEE 802.3z negotiation if that's the problem.
    Thanks for assistance
    Cheers
    M.

    So I found my solution, but I want to know why is like this.
    The solution was to enter on Cisco the following command:
    (config-if)#speed nonegotiate
    From this link: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.1E/native/configuration/guide/sw_int.html
    I can see on section: Configuring Link Negotiation on Gigabit Ethernet Ports that this command is doing negotiation exchange of flow-control parameters, remote fault information, and duplex information. Link negotiation is enabled by default.
    And the funniest thing of all is, this speed nonegotiate command doesn't deal with the speed at all :)
    Can someone confirm me what are remote fault information and flow control parameters

  • ACS 5.3 Integration With RSA

    Hi People,
    I have Integrated the ACS 5.3 with AD.
    Now my next goal is to Integrate ACS with RSA in such a way that all my Cisco devices should use the username and password from the AD.
    The enable privilege level should come from the RSA Token OTP.
    Is it possible to do such a thing with ACS 5.3???
    If so how could i do it???
    Thanks,
    Manoj

    I think that can try and make a rule in the identity policy based on the Service attribute in the TACACS+ dictionary
    (this is not tested and based on my recollection so would need your verification)
    1) Create a custom condition for the service attribute in TACACS+ dictionary
    Policy Elements > Session Conditions > Custom
    Create: Dictionary: TACACS+ ; Attribute:Service
    2) Utilize in a rule in Device Admin identity policy
    Access Policies > Access Services > Default Device Admin > Identity
    Sselect a rule based
    Customize based on condition in 1
    Create a rule for when Service is "Enable". Select identity source as RSA in this case

Maybe you are looking for

  • Lets All Take A Giant Step Backwards

    [http://www.javafx.com/samples/BrickBreaker/] So Sun put up a fancy "how to" JavaFX site thats supposed to show people how to program. Check out Figure 3, 4 and 6. Im not trying to say that I know better than a Sun engineer, but does JavaFX just not

  • Correct way to search for character within a string

    I am trying to search for the occurrence of a "(" within a text string - unfortunately my code is reported as incorrect. I extract the text correctly but cannot create the search statement correctly: var mylistpgftext = pgf.GetText (Constants.FTI_Str

  • After mavericks update i can't find any of my old documents on pages. Any suggestions?

    help!!

  • Your opinions about workflow

    Final Cut Pro is a relatively flexible application with many ways to get to the same outcome. I was just wondering how some of you go about setting up a large project. For instance I have one where I have about 10 hours of raw footage. I've set up lo

  • EXCISE REPORTS

    Dear Experts, Plz tell met he standard reports available with EXCISE(CIN) with T-Codes.? aLSO TELL ME REGARDING UTILIZATION DETERMINATION???????