AAA config with ACS

I have ACS configured and it works, need to grant selected users access to extended ping and extended trace route without level 15. I have configure the group settings to include permit ping and permit trace and every over variation but no extended ping is working.

The ports that Cisco Secure ACS listens to for communications with AAA clients, other Cisco Secure ACSes and applications, and web browsers. Cisco Secure ACS uses other ports to communicate with external user databases; however, it initiates those communications rather than listening to specific ports. In some cases, these ports are configurable, such as with LDAP and RADIUS token server databases. For more information about ports that a particular external user database listens to, see the documentation for that database.
http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_user_guide_chapter09186a0080233623.html

Similar Messages

  • AAA Authorization with ACS Shell-Sets

    Hi all,
    I am using a cisco 871 router running Version 12.4(11)T advanced IP Services.
    I am having trouble getting AAA Authorization to work correctly with ACS.
    I am able to set the users up on ACS fine and assign them shell and priv level 7.
    I then setup a Shell Auth Set, and enter in the commands show and configure.
    When I log in as a user, I get an exec with a priv level of 7 no problems, but I never seem to be able
    to access global config mode by typing in conf (or configure) terminal or t.
    If I type con? the only command there is connect, configure is never an option...
    The only way I can get this to work is by entering the command:
    privilege exec level 7 configure terminal
    I thought the whole purpose of the ACS Shell Set was to provide this information to the Router?
    This is most frustrating
    The ACS Server is set up with a Shell Command Authorization Set named Level_7
    It is assigned to the relevant groups and I even have the "Unmatched Commands" option selected to "Permit"
    The "Permit Unmatched Args" is also selected.
    See an excerpt of my IOS config below:
    aaa new-model
    aaa group server tacacs+ ACS
    server 10.90.0.11
    aaa authentication login default group ACS local
    aaa authorization exec default group ACS
    aaa authorization commands 7 default group ACS local
    tacacs-server host 10.90.0.11 key cisco
    privilege exec level 7 configure terminal
    privilege exec level 7 configure
    privilege exec level 7 show running-config
    privilege exec level 7 show
    Hope you can help me with this one..
    P.s I have tried it with the privilege commands on the router and removed from the router and just keep getting the same results!?

    Hi,
    So here it is,
    You are actually using two different options and trying to couple then together. What I would suggest you is either use Shell command authorization set feature or play with privilege level. Not both mixed together.
    Above scenario might work, if you move commands to privilege level 6 and give user privilege level 7. It might not sure. Give it a try and share the result.
    This is what I suggest the commands back to normal level.
    Below provided are steps to configure shell command authorization:
    Follow the following steps over the router:
    !--- is the desired username
    !--- is the desired password
    !--- we create a local username and password
    !--- in case we are not able to get authenticated via
    !--- our tacacs+ server. To provide a back door.
    username password privilege 15
    !--- To apply aaa model over the router
    aaa new-model
    !--- Following command is to specify our ACS
    !--- server location, where is the
    !--- ip-address of the ACS server. And
    !--- is the key that should be same over the ACS and the router.
    tacacs-server host key
    !--- To get users authentication via ACS, when they try to log-in
    !--- If our router is unable to contact to ACS, then we will use
    !--- our local username & password that we created above. This
    !--- prevents us from locking out.
    aaa authentication login default group tacacs+ local
    aaa authorization exec default group tacacs+ local
    aaa authorization config-commands
    aaa authorization commands 0 default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
    !--- Following commands are for accounting the user's activity,
    !--- when user is logged into the device.
    aaa accounting exec default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+
    aaa accounting commands 0 default start-stop group tacacs+
    aaa accounting commands 1 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    Configuration on ACS
    [1] Goto 'Shared Profile Components' -> 'Shell Command Authorization Sets' -> 'Add'
    Provide any name to the set.
    provide the sufficent description (if required)
    (a) For Full Access administrative set.
    In Unmatched Commands, select 'Permit'
    (b) For Limited Access set.
    In Unmatched commands, select 'Deny'.
    And in the box above 'Add Command' box type in the main command, and in box below 'Permit unmatched Args'. Provide with the sub command allow.
    For example: If we want user to be only able to access the following commads:
    login
    logout
    exit
    enable
    disable
    show
    Then the configuration should be:
    ------------------------Permit unmatched Args--
    login permit
    logout permit
    exit permit
    enable permit
    disable permit
    configure permit terminal
    interface permit ethernet
    permit 0
    show permit running-config
    in above example, user will be allowed to run only above commands. If user tries to execute 'interface ethernet 1', user will get 'Command authorization failed'.
    [2] Press 'Submit'.
    [3] Goto the group on which we want to apply these command authorization set. Select 'Edit Settings'.
    (cont...)

  • AAA authorization with ACS 3.2

    I'm trying to configure my devices to use shell command authorization sets located on my ACS box. I want users that are members of a specific group to only be allowed to certain commands (ex. show). I'm pretty sure my ACS box is setup correctly, but my devices aren't. Here is the current config:
    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authorization exec default group tacacs+ local
    aaa accounting exec default start-stop group tacacs+
    I want the aaa authorization to use tacacs on my ACS box and whatever shell commands sets that are group specific when a user that is a member of that group logs in.

    Marek
    1) it is good to know that authentication is working and does fail over to the enable password. This helps assure that the problem that we are dealing with is not an issue of failure to communicate.
    2) it is not necessary that the router mirror the groups that are configured on the server. So unless you want to specify authentication or authorization processing different from default then you do not need level1 to be mentioned on the router.
    I agree that there is not a lot of clear documentation about authorization. One of the purposes of this forum is to allow people to ask questions about things that they do not yet understand and hopefully to get some helpful answers. As you get more experience and understand more then you may be able to participate in the forum and providing answers in addition to asking questions.
    3) As I read your config authentication does have a backup method and authorization does not. I am a proponent of having backup methods configured. As long as the server is available you do not need them. But if they are not configured and the server is not available you can manage to lock yourself out of the router.
    I can understand removing them while you concentrate on why the authorization is not working (though I would not do it that way) but I strongly suggest that you plan to put the backups in before you put anything like this into production.
    4) the fact that both users log in and are already at privilege level 15 may be a clue. Look in the config under the console and under the vty ports. Look for this configuration command privilege level 15. If it is there remove it and test over again.
    HTH
    Rick

  • AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN

    Hi,
    I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
    Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
    The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
    I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
    ping inside 10.10.10.56
    However when I configure the ASA for the AAA group with commands:
    aaa-server ACSAuth protocol radius
    aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
    Then when I do the show run, here is the result:
    aaa-server ACSAuth protocol radius
    aaa-server host 10.10.10.56
    key AcsSecret123
    From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
    (seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
    Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
    Your help will be really appreciated!
    Thanks.
    Best Regards,
    Jo

    AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
    http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html

  • Issue with ACS 4 and AAA. Port scan shows no Radius but does show tacacs

    to start I am new to ACS so if this is an easy issue to solve please forgive me. I am trying to get Authentication working with ACS 4. I setup everything according to the instructions and when I try to test authentication with VPN concentrator I get a No active server found error. I have tried using an Internal user to start and I also have tried an AD account. If I port scan the ACS server I do not see it advertising port 1645 but I do see Port 49 for tacacs and I also see Ports 2000-2002. CSRadius is running.

    Actually, to avoid any issues I made CSRadius listen on BOTH sets of ports :)
    So unless that got changed without my knowing it should be listening on 1645/6 and 1812/3
    Darra

  • WCS 7.0 with ACS 5.1

    Hi,
    I want to add WCS as a AAA client for authentication with Radius  in my set-up.
    how to configure WCS for the same.
    where are all those options in WCS.
    Please guide me for the same.

    Has anybody got any experience with trying the config as depicted in the WCS 7 config guide?
    I have tried today to integrate WCS 7 with ACS 5.1 and got a partial success.  I have created a unique Shell Profile that invokes for the WCS only which contains 1 role (role0=Root) and 73 task entries (as copied from the WCS group pages) and I can log in to WCS with the new account, but some things I dont appear to have priviledges for, such as Reports.  Is there any way to debug which task WCS thinks I dont have to do this?  Any other ideas?

  • Using Multiple AD domains with ACS

    Hi,
    Is it possible to use multiple domains for authentication with ACS? I need to use AAA to authenticate remote users into a centralised location but the users will be from different domains and I was hoping to use a single applicance to cater for all domains. Can this be achieved using LDAP? I understand that ACS can only be part of one AD domain.....
    In essence I am hoping that I will be able to authenticate the user based on their domain\credentials.
    Thanks in advance
    Jason

    Hi Javier,
    I understand that ACS can only join a single AD domain - but can it use LDAP to authenticate users from different AD domains - I don't want to have to established trusts between different domains.
    Kind regards
    Jason

  • Dynamic Vlan Assigment on 2950 with acs 4.2

    Hello to everyone
    We have a problem with Cisco 2950G 48 EI and ACS (version 4.2) providing dynamic Vlan assignment based on groups
    On the ACS we configured the following attributes for the specific group
    64 = VLAN
    65 = 802
    81 = VLAN Name
    We tried for the 81 attribute both Vlan name and Vlan ID but we get the same results
    In detail, we need the machine to be placed on Vlan ID 6 named vlan_sio so we inserted these value in the attribute field
    Before we configured the switch to speak with ACS:
    aaa new-model
    aaa group server radius Switch
                                   server 172.16.0.93 auth-port 1812 acct-port 1813
    dot1x system-auth-control
                    radius-server host 172.16.0.93 auth-port 1812 acct-port 1813 key xxxxxx
    radius-server retransmit 3
    Configured the ports for the use of dot1.x.
    switchport mode access
                   dot1x port-control auto
                   dot1x guest-vlan 7
                   spanning-tree portfast
    The users are correctly authenticated but the ports are always connected to the default Vlan of the ports
    We tried to debug with the debug dot1.x events command and we get the following errors:
    Feb 16 12:00:04.017:         Attribute 64 6 0100000D
    Feb 16 12:00:04.017:         Attribute 65 6 01000006
    Feb 16 12:00:04.017:         Attribute 81 4 01360806
    Feb 16 12:00:04.025: dot1x-ev:Received VLAN is No Vlan
    Feb 16 12:00:04.037: dot1x-ev:Received VLAN Id -1
    Feb 16 12:00:04.041: dot1x-ev:dot1x_port_authorized: clearing HA table from vlan 1
    Feb 16 12:00:04.049: dot1x-ev:dot1x_port_authorized: Added 0006.1bdb.6a09 to HA table on vlan 1
    Does anyone know what we could have missed?
    Thank’s

    solved
    It was just missing the command
    aaa authorization network default group XXXX

  • WLC 4402-50 with ACS 3.3

    Hi,
    We want to use ACS to authenticate an ssh or http connection to a WLC 4403-50 4.2.99 using TACACS+. On our ACS 4.2 test server it works fine. Configured identically on an ACS 3.3 appliance we are not able to log in although we do see a successful login in the Passed Authentications report withing ACS.
    Is there an incompatability between the WLC 4402-50 with ACS 3.3?
    thanks
    Bob

    The Cisco Secure Access Control Server (ACS) provides authentication, authorization, and accounting (AAA) services for users of the wireless network.
    It is also possible to employ a WLC controller strategy that uses an N+1 approach. When using N+1 architecture, each WLC is configured with a WLC that is designated as a backup WLC in the event of a failure. This controller is not used until there is a failure event upon which all APs using the failed controller switch to the backup WLC. This cost-effective approach provides a high level of availability in the event of a single WLC failure scenario.

  • Integrating WCS 7.0 with ACS 5.1

    Has anybody got any experience with trying the config as depicted in the WCS 7 config guide?
    I have tried today to integrate WCS 7 with ACS 5.1 and got a partial success.  I have created a unique Shell Profile that invokes for the WCS only which contains 1 role (role0=Root) and 73 task entries (as copied from the WCS group pages) and I can log in to WCS with the new account, but some things I dont appear to have priviledges for, such as Reports.  Is there any way to debug which task WCS thinks I dont have to do this?  Any other ideas?

    Turned on trace in WCS and saw info like this: (abreviated)
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task14 = View Alerts and Events
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task51 = Performance Reports
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task15 = Email Notification
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] rejecting task: task50 = Device Reports                is not a valid task
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task53 = Network Summary Reports
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task16 = Delete and Clear Alerts
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task48 = Mesh Reports
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] rejecting task: task47 = Config Audit Dashboard    is not a valid task
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task42 = Monitor Chokepoints
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task41 = Monitor Security
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task40 = Monitor Tags
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task46 = RRM Dashboard
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task45 = Monitor Interferers
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task44 = Monitor Spectrum Experts
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task43 = Monitor WiFi TDOA Receivers
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding role: role0 = Root
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] Disconnecting from authorization socket  - From Server:  10.9.2.253  - For User:  acstest
    01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] Total permissions for user acstest : tasks  68 : roles  1 : virtual-domains  0
    all i did was copy and paste in all tasks from the WCS export list???

  • Cisco Works LMS R3.1 with ACS R5.1

    I search on internet about the AAA integration between LMS R3.1 y ACS R5.1, and all the information that I found it's related to ACS R4.1. It's possible to integrate with ACS R5.1.
    Regards and thanks in advanced
    Luis Martinez

    Nael,
    Sorry to batter you, but I was trying to migrate my Cisco Works LMS R3.1 to R3.2 and from the support page of CISCO I just can donwload the following version LMS R3.2.1 (LMS R3.2 service pack 1). I tried to install that version but i got an error that saids "LMS R3.2.1 needs LMS R3.2 installed on the server"
    Could you please tell me where can I download the complete and initial LMS R3.2.
    Thanks in advanced for your kindly help.
    Luis Martinez

  • LMS Authentication with ACS 5.1

    Hi, I am using LMS authentication via ACS. I am able to login to LMS successfully with ACS user name and password but I can not execute most of the task it says you are not authorised. do i need to anything in LMS except enabling login module to tacacs...
    Let me know if I missed something.
    Thanks
    Ninja

    Integration with ACS 5.1 is not yet supported.  You can do authentication only with ACS 5.0, and 5.1 should work, but you will not be able to use full AAA integration.  Disable AAA mode, and set the login module to be TACACS+.  Point that to your 5.1 server, and you should be able to login, and run tasks in LMS.  However, you will still need to create local accounts in LMS for all of your users to do the authorization piece.

  • Tacacs+ problem with ACS 5.2

    I am new with ACS server 5.2 can someone please help me before I bang my head on the wall. I have configured the ACS server 5.2 but still cannot authenticate users. The router can ping the ACS server. With debugging I got the following error message:
    Switch#
    6d07h: TAC+: Using default tacacs server-group "tacacs+" list.
    6d07h: TAC+: Opening TCP/IP to 110.7.111.8/49 timeout=5
    6d07h: TAC+: TCP/IP open to 110.7.111.8/49 failed -- Connection timed out; remote host not responding
    6d07h: TAC+: Opening TCP/IP to 110.7.111.7/49 timeout=5
    6d07h: TAC+: TCP/IP open to 110.7.111.7/49 failed -- Connection timed out; remote host not responding
    6d07h: TAC+: send AUTHEN/START packet ver=192 id=3004581909
    6d07h: TAC+: Using default tacacs server-group "tacacs+" list.
    6d07h: TAC+: Opening TCP/IP to 110.7.111.8/49 timeout=5
    6d07h: TAC+: TCP/IP open to 110.7.111.8/49 failed -- Connection timed out; remote host not responding
    6d07h: TAC+: Opening TCP/IP to 110.7.111.7/49 timeout=5
    6d07h: TAC+: TCP/IP open to 110.7.111.7/49 failed -- Connection timed out; remote host not responding
    Your kind help will be highly appreciated.

    Did you add the switch as AAA client in ACS box? Make sure you use the correct switch IP when adding it in ACS.
    YOu can go to "monitoring and Report" on ACS to check the log to see what happened.

  • Aaa authorization with Tacacs+

    Hello All,
    I am trying to figure out how aaa authorization with tacacs+ works.
    I am totally comfortable with aaa authentication..But am not able to understand how it works...How diff priv levels are assigned to diff users?..
    I am totally freaked out...

    The device side side setup is pretty simple. You just use the aaa authorization command set. A good bit of the setup is on the ACS server end.
    Cisco has a pretty thorough configuration example posted here.

  • Juniper SSG TACACS+ Integration with ACS 5

    Hi,
    I'm working on TACACS+ integration on Juniper SSG firewall with ACS 5, but failed login on the SSG. After checked the log on ACS, it passed the authentication. Do I need to import any dictionary file on the ACS 5 first?
    Please advice,
    Cheers,
    Ryan

    I was able to config SSG authenticate using RADIUS.  In order to work with RADIUS, I have to create RADIUS dictionary using netscreen dictionary found @ Juniper.  Attach the dictionary.
    I'm not sure how to import, but I create the dictionary manually.

Maybe you are looking for