AAA, Tacacs+ and ACS

Similar Messages

• WAE, TACACS and ACS

  I have a bit of a strange problem with authentication on my WAE boxes. I am using TACACS authentication for administrative access to the devices. (I didn't change the authentication on the WAAS box itself just in case I had any trouble) I am authenticating against a Cisco ACS appliance.
  I have enabled both tacacs authentication and authorization on my WAEs. I can authenticate using my TACACS credentials. Unfortunately it puts me into "user" mode when I telnet or SSH in, not enable mode. It won't let me in via the web browser (seemingly no matter which credentials I use). If I use the enable command it prompts me for a password. I can then use the administrator password to get into enable mode.
  All my other network devices are also using tacacs authentication and authorization. With that same account I can authenticate and get into enable mode using my tacacs credentials. My account has the shell(exec) box ticked in ACS and also is a member of a group that has a Max privilege of Level 15 and uses per-command authorization with all commands permitted.
  Is there anything special that needs to be done to get the WAAS or WAE boxes to see my account as a level 15 account rather than requiring me to use the administrator password as well?
  Thanks in advance,
  Peter

  Peter,
  The account in ACS also needs to be configured with a 'Privilege level' (1 or 15) for the shell service under the TACACS+ Settings.
  Note that authorization only applies to terminal (console, telnet, etc.) sessions. In order to access the WAE GUI interface using your TACACS credentials, you will need to create a user account in the CM under:
  System > AAA > Users
  Under the user account information, check the box titled 'WAE Device Manager User' and select an access mode.
  Zach

• Configuring RAS and TACACS+. through ACS.

  Hi all,
  I have very basic question about
  configuring RAS with digital modems
  and AAA through TACACS+. I use
  command peer default ip address pool OLA under interface Group-Async0 and interface Dialer10
  for example. And inside router I configure this pool with some range of
  IP addresses...for example
  ip local pool OLA 192.168.10.2 192.168.10.127.
  And I set AAA through TACACS+.
  What should I do next on ACS ? Should I configure this pool of IP addresses on ACS or it is sufficient to do it only on router? Or do this on router is not important ?
  Thanks
  jl

  John
  I have configured RAS for dial-in services where we authenticated the dial-in users via TACACS and ACS. I did not have to do anything on ACS about the dial pool. The only thing that I had to do on ACS was to configure it to authenticate users whose authentication request came from that router. (In other words nothing special on ACS just because they were dial-in.) Just be sure that your aaa on the router provides for authenticating ppp.
  HTH
  Rick

• ANM 4.2 - RBAC using Tacacs+ and ACS5.1

  I want to configure RBAC for ANM 4,2 using tacacs+ and ACS 5.1
  Service = ANM
  ANM_UniqueID = ANM_1
  RoleName = ANM_Admin
  Domain = All
  When the admin user logs in, this policy element is triggerd, but the Role is not sent back.
  How to configure the Custom Attribute?
  Cheers,
  Wolff

  Could you please move this tread to AAA community, since this community is mostly about load-balancing and I doubt that you will get any answers here. You can find AAA community here: https://supportforums.cisco.com/community/netpro/security/aaa
  You should be able to move it by clicking on "Move thread" on the right side and then navigating to Communities -> Security -> AAA
  Thanks

• FWSM: AAA authentication using TACACS and local authorization

  Hi All,
  In our setup, we are are having FWSMs running version 3.2.22 and users are authenticating using TACACS (running cisco ACS). We would like to give restricted access ( some show commands ) to couple of users to all devices. We do not want to use TACACS for command authorization.
  We have created users on TACACS and  not allowed "enable" access to them. I have also given those show commands locally on the firewall with privilege level 1. and enabled aaa authorization LOCAL
  Now , those users can successfully login to devices and execute those show commands from priv level 1 except "sh access-list".  I have specifically mentioned this
  "privilege show level 1 mode exec command access-list"  in the config.
  Is there anything i am missing or is there any other way of doing it?
  Thanks.

  You cannot do what you are trying to do. For (default login you need to use the first policy matched.
  you can diversify telnet/ssh with http by  creating different aaa groups.
  But still you will be loging in for telnet users (all of them) using one method.
  I hope it is clear.
  PK

• ACE - Setup AAA TACACS+ using CS Unix ACS

  Hi,
  I have setup AAA tacacs+ on ACE Admin context with RSA token. This is similar to AAA IOS setup.
  I can login but it does not allow me to do any commands.
  "show users", under Domain says I am logged in as "
  Network-Monitor default-domain".
  Any ideas how to get around and making myself as Admin group?
  Also is there any doco on setting AAA on ACE module using Cisco Secure For Unix ACS?
  Thanks
  Sanjay

  Hi,
  It did work as you suggested. I had to move user in [Root] as we have other Shell attributes in different groups.
  ct 16 15:18:29 c1 CiscoSecure: [ID 428912 local0.debug] DEBUG -
  Oct 16 15:18:29 c1 user = test2 {
  Oct 16 15:18:29 c1 service = shell {
  Oct 16 15:18:29 c1 set optional shell:Admin = "Admin Admin default-domain"
  Oct 16 13:18:29 c1 }
  Oct 16 13:18:29 c1 service = exec {
  Oct 16 13:18:29 c1 set optional shell:Admin = "Admin Admin default-domain"
  ACE-Admin/Admin# sh users
  User Context Line Login Time (Location) Role Domain(s)
  admin Admin pts/0 Oct 17 13:43 (127.0.0.71) Admin default-domain
  *test2 Admin pts/1 Oct 17 14:07 (a.b.c.d) Admin default-domain
  When I moved user in the support group with existing shell access configured, it dumps in network monitor mode. Maybe due to TACACS attribute inheritance. I did not want to stuff up existing support users.
  So I guess my option is to use RADIUS as login method.
  I am trying to get it going but the CS ACS Unix does not like :
  cisco-avpair = "shell:Admin=Admin default-domain;
  Oct 16 15:18:29 c1 radius = ACE_Admin_Pri {
  Oct 16 15:18:29 c1 check_items = {
  Oct 16 15:18:29 c1 200 = 1
  Oct 16 15:18:29 c1 }
  Oct 16 15:18:29 c1 reply_attributes = {
  Oct 16 15:18:29 c1 26 = "cisco-avpair=shell:Admin=Admin default-domain; "
  Oct 16 15:18:29 c1 6 = 6
  Oct 16 15:18:29 c1 }
  Oct 16 15:18:29 c1 }
  Now I get :
  [ID 901471 local0.warning] WARNING - RADIUS: Invalid attribute (1) in profile
  Oct 17 15:49:41 c1 CiscoSecure: [ID 347837 local0.warning] WARNING - RADIUS: Authenticate: from (10.17.1.4) -
  test2 failed
  It would be good to see if anyone else has tried this.
  sanjay

• PIX 525 aaa authentication with both tacacs and local

  Hi,
  I have configured the aaa authentication for the PIX with tacacs protocol (ACS Server).
  It works fine, now i would like to add the back up authentication, as follows:
  - If the ACS goes down i can to be authenticated with the local database.
  Is it possible with PIX, if yes how?

  Hi,
  I am trying to configure aaa using TACACS+ , i am not able to close.Problems are
  1.It dosent ask for username /password in first level.
  2.on second level it asks for user name it dosent authenticate the user .
  Cud u pls let me know if the following config is correct.If not cud u help me .
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ (outside) host ip.ip.ip.ip key timeout 15
  aaa-server RADIUS protocol radius
  aaa-server LOCAL protocol local
  aaa authentication include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+
  aaa authentication include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+
  aaa authen enable console TACACS+

• Configure AAA with ANM, ACS and ACE

  I am seeking for best practices with deployment of ANM and ACS to manage ACEs. Configuration guides suggest that authorization can be on ACS 5.2 or ANM.
  I found that an admin user can be assigned to a single role only. What I would like to do, is set myself as an adnmin user have different roles for different ACEs. For example, I want to be a system admin for one ACE and network-monitor role for another ACE.
  Would you someone offer me any suggestions?

  thank you

• Authenticating LMS 4.x Users via TACACS+ on ACS 4.1

  Hello Support,
  I tried to authenticate the LMS 4.x Users via TACACS+ on ACS 4.1. But
  unfortunately is not working!
  On LMS 4.x i have created users and i have defined roles to the users. I have defined the Authentication Mode Setup for
  TACACS+ on LMS 4.x.
  On the ACS 4.1 I have created a NDG and i have added a AAA client to the NDG.
  then i have created the same users on ACS 4.1 that are existing on LMS 4.x. But when i try to login on LMS 4.x, I can NOT login!
  Please advice if i'm missing something!

  Yes! the Tacacs+ mode is successfully performed! But I can not login.......

• Firewall and ACS

  I've configured firewall to use ACS but the firewall locks me ou when the ACS is nt available
  my question is is there any command i hae to configure on the firewal to be able to get to it when the ACS is unavailable
  another question is I cannot run firewall on pixshel command it waill authenticate but fail to authorize Im running version 3.3(4)
  thanks in advance

  Try to configure AAA on firewall through PDM becasue it will be easy for you and you will find an option that first preference will be TACACS+ and other option will be LOCAL,what will happen is first it will try for ACS server if not available it will authenticate with username configured in pix local database. Also create a local user with maximum privilege in pix so that authentication is successful. This will solve your problem.
  As per my knowledge you cannot run pixsshell with current PIX IOS version 6.3 it may support in future IOS release.

• Same user in tacacs and local database with different privilege

  Hi there,
  i am just not sure if this is correct behavior.
  i am running NX-OS image n5000-uk9.5.1.3.N1.1.bin on the nexus 5020 platform.
  i have configured authorization with tacacs+ on ACS server version 5.2 with fall back to switch local database.
  aaa authentication login default group ACS
  aaa authorization commands default group ACS local
  aaa accounting default group ACS
  a user test with priv 15 is craeted on ACS server, password test2
  everything works fine, until i create the same username on the local database with privilege 0. ( it doesnt matter if the user in local database was created before user in ACS or after )
  e.g.:  
  username test password test1 role priv-0   (note passwords are different for users in both databases)
  after i create the same user in local database with privilege 0,
  if i try to connect to the switch with this username test and password defined on ACS,  i get only privilege 0 authorization, regardless, that ACS server is up and it should be primary way to authenticate and authorizate the user.
  is this normal?
  thank you for help...

  Hello.
  Privileges are used with traditional IOS. Privileges are part of "command authorization". Other operating systems (like IOS-XR, Nexus OS , Juniper JunOS) use "role-based authorization" instead of "command authorization".
  So traditional IOS can use the "privilege" attribute but other operating systems can not.
  Although IOS-XR, Nexus, ACE, Juniper  have "roled-based authorization" feature, every single one of them use their particular attributes.
  When I was configuring TACACS with ACE, Juniper and other devices I had to capture the packets to find out what were the particular attributes of ACE, what were the particular attributes of JunOS, etc, etc and to search deeply some hints the documentation , because sadly  documentation is not very good when talking about TACACS details.
  If you find which attributes to use, and what values to assign to the attributes then you can go to ACS and configure a "Shell Profile".
  Now back to Nexus 5000. It seems this particular device has the option to mix "role-based" with "command authorization" by overriding the default roles with other roles which names are called "priv". It seems this was an effort to try to map the old concept of "privileges" to the new concept of "roles". Although you see the word "priv", it's just the name of the role. My particular point of view is that this complicates the whole thing. I would recommend to use just the default roles, or customize some of them (only if needed), but not to use "command authorization".
  http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/security/502_n1_1/Cisco_n5k_security_config_gd_rel_502_n1_1_chapter5.html
  I will search the particular attributes Nexus use to talk to TACACS server. If I got them I will post them here.
  Please rate if it helps

• AAA TACACS with Brocade Switches

  We are testing authentication on Brocade switches with our AAA TACACS+ server.  It seems that after authenicating to enable mode, you can type "exit" and be dropped back to level 7 mode.  From this point you can type "enable" and authenticate to the switch using the local "enable" password, not from TACACS.  Has anyone run across this and is there a way to correct it?  Is there something that needs to be configured in TACACS on the server to recognise the Brocade switch and make this work?
  Ray

  Hi Ray,
  What ACS version you are using?
  On a cisco switch the following command is used:
  switch(config)# aaa authentication enable default tacacs+ enable
  The above command is used to set the TACACS+ as the default check for the enable password. If TACACS+ is not available it will fall back to the local enable password.
  You need to look into such option in the Brocade switch.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Does ISE 1.1 support TACACS and H-REAP?

  Hello,
  Does ISE1.1 support TACACS/TACACS+ and H-REAP mode ?
  Also, customer wants to have quick access to the corporate network with some few laptops without going through the Actice Directory? Any suggestion on this?
  Thanks
  Olu

  EAP-TLS does not rely on AD.
  CA root cert is installed on ACS for trust and identity.
  you can elect to Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active Directory
  Users and Identity Stores >
  Certificate Authentication Profile >
  Edit: "CN Username"
  see the checkbox at the bottom.
  I do EAP TLS machine auth only without integrating AD into the policy at all.
  hth,
  jk

• Cisco WCS 7.x TACACS+ with ACS 5.2

  Ok, so I took my bday off today so I could stay home and setup my lab for ie v2 and have the birthday wish of 'leave daddy alone for awhile' come true.  Here we are at 7:00pm and everything is flowing good including my blue moons and I decided to get tacacs working on an eval version of acs 5.2 per the ie list of lab equipment. frack me.  Instead of walking away and coming back later and going 'doh!', I'm going to whine instead....
  So I'm trying to get WCS to work with TACACS per this document:
  http://www.cisco.com/en/US/docs/wireless/wcs/7.0/configuration/guide/7_0admin.html#wp1191980
  However, after having to enter EVERY SINGLE TASK, once you get down to:
  Creating Service Selection Rules for TACACS
  To create service selection rules for TACACS, perform the following steps:
  Step 1 Choose Access Policies > Access Services > Service Selection Rules.
  Step 2 Click Create.
  Step 3 Select the protocol as TACACS and Service as Default Device Admin (see Figure 18-49).
  I'm alittle confused as to where it wants me to do click 'Create' at.  I of course did the 'hunt and peck' method and the only place I see where there is a 'create' buttong is under
  Access Policies >
  Access Services >
  Default Device Admin >
  Authorization
  but it's grayed out.  Someone wanna tell me what the crap.. and really, why 5.2 cisco.. why.

  Yeah, I've heard that, but in trying to stick with the IE list of used equipment/software I'm going for 5.2.  I've learned it's best to stick with the list so that you are not only familliar with that exact software, but that exact versions 'issues' as well.  No panic in the lab from ACS going NO NO NO, NOT IN MY HOUSE.

• Cisco ISE with TACACS+ and RADIUS both?

  Hello,
  I am initiating wired authentication on an existing network using Cisco ISE. I have been studying the requirements for this. I know I have to turn on RADIUS on the Cisco switches on the network. The switches on the network are already programmed for TACACS+. Does anybody know if they can both operate on the same network at the same time?
  Bob

  Hello Robert,
  I believe NO, they both won't work together as both TACACS and Radius are different technologies.
  It's just because that TACACS encrypts the whole message and Radius just the password, so I believe it won't work.
  For your reference, I am sharing the link for the difference between TACACS and Radius.
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
  Moreover, Please review the information as well.
  Compare TACACS+ and RADIUS
  These sections compare several features of TACACS+ and RADIUS.
  UDP and TCP
  RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a
  TCP transport offers:
  TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.
  TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server.
  Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running.
  TCP is more scalable and adapts to growing, as well as congested, networks.
  Packet Encryption
  RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.
  TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.
  Authentication and Authorization
  RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.
  TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.
  During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.
  Multiprotocol Support
  RADIUS does not support these protocols:
  AppleTalk Remote Access (ARA) protocol
  NetBIOS Frame Protocol Control protocol
  Novell Asynchronous Services Interface (NASI)
  X.25 PAD connection
  TACACS+ offers multiprotocol support.
  Router Management
  RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.
  TACACS+ provides two methods to control the authorization of router commands on a per-user or per-group basis. The first method is to assign privilege levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second method is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed.
  Interoperability
  Due to various interpretations of the RADIUS Request for Comments (RFCs), compliance with the RADIUS RFCs does not guarantee interoperability. Even though several vendors implement RADIUS clients, this does not mean they are interoperable. Cisco implements most RADIUS attributes and consistently adds more. If customers use only the standard RADIUS attributes in their servers, they can interoperate between several vendors as long as these vendors implement the same attributes. However, many vendors implement extensions that are proprietary attributes. If a customer uses one of these vendor-specific extended attributes, interoperability is not possible.
  Traffic
  Due to the previously cited differences between TACACS+ and RADIUS, the amount of traffic generated between the client and server differs. These examples illustrate the traffic between the client and server for TACACS+ and RADIUS when used for router management with authentication, exec authorization, command authorization (which RADIUS cannot do), exec accounting, and command accounting (which RADIUS cannot do).