Authenticating LMS 4.x Users via TACACS+ on ACS 4.1

Similar Messages

• Configuring RAS and TACACS+. through ACS.

  Hi all,
  I have very basic question about
  configuring RAS with digital modems
  and AAA through TACACS+. I use
  command peer default ip address pool OLA under interface Group-Async0 and interface Dialer10
  for example. And inside router I configure this pool with some range of
  IP addresses...for example
  ip local pool OLA 192.168.10.2 192.168.10.127.
  And I set AAA through TACACS+.
  What should I do next on ACS ? Should I configure this pool of IP addresses on ACS or it is sufficient to do it only on router? Or do this on router is not important ?
  Thanks
  jl

  John
  I have configured RAS for dial-in services where we authenticated the dial-in users via TACACS and ACS. I did not have to do anything on ACS about the dial pool. The only thing that I had to do on ACS was to configure it to authenticate users whose authentication request came from that router. (In other words nothing special on ACS just because they were dial-in.) Just be sure that your aaa on the router provides for authenticating ppp.
  HTH
  Rick

• Tacacs authentication fails for one user account for only one switch

  Hi,
  I am having an scenario, where as Tacacs authentication fails for one user account for only one switch.
  The same user account works well for other devices.
  The AAA configs are same on every devices in the network.
  Heres the show tacacs output from the switch where only one user account fails;
                Socket opens:        157
               Socket closes:        156
               Socket aborts:        303
               Socket errors:          1
             Socket Timeouts:          2
     Failed Connect Attempts:          0
          Total Packets Sent:       1703
          Total Packets Recv:       1243
            Expected Replies:          0
  What could be the reason ?
  No errors on ACS server; same rights had been given to the user account.
  Thanks to advise.
  Prasey

  Hi there,
  Does the user get authenticated in the ACS logs?
  reports and activity----> failed attempts
  ro
  reports and activity----->  passed authentications
  That will help narrow it down.
  Brad

• Tacacs+ authentication/authorization based on user's subnet

  Hi Guys/Girls
  We have number of production cisco gears, all of which are configured with Tacacs+ and all of them working just fine. But now I have a requirement to implement SSH-ver2 across whole network, comprise of about 8000 cisco gears.
  I need to develop a proof of concept (POC), that enabling SSH on production gears will not affect existing Tacacs+ users authentication and authorization.
  In our lab cisco gears, it has been already configured with production Tacacs+ server for authentication and authorization. Now I am allowed to test SSH on these lab-gears but I without disrupting others users who are using the same lab-gears.
  So, I want to enable SSH version 2 on these lab-gears however, when user coming from a certain specific subnet, this particular user must be authenticated and authorized by LAB Tacacs+ but not from production Tacacs+, however please note that lab-gears I am testing with also already configured for  production Tacacs+ server as well. These lab-gears must be able to do authentication and authorization to two different Tacacs+ server based on users subnet that he or she coming from.
  Is this doable plan? I have been looking for a documentation to implement test this method, not being successful.
  Your feedback will be appreciated and rated.
  Thanks
  Rizwan Rafeek

  Riswan,
  This will not work, tacacs authentication starts once the ssh connection is established, the NAD (switch or router) will open a tacacs connection and send the start flag to the tacacs server in which the message "getusername" is sent from the tacacs server to the device and to the user terminal. You can not create an acl in order to pick which tacacs servers you can authenticate to either. So when it comes to authenticating users from a specific subnet to a specific tacacs server that is not the intended design of tacacs, when you configure multiple servers in a group it is to insure high availability such that when one tacacs server goes down you have a secondary to continue with the authenticaiton requests.
  Here is an example of how the tacacs authentication is performed.
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml#comp_traffic
  thanks and I hope that helps,
  Tarik Admani
  *Please rate helpful posts*

• Connecting to OS-authenticated user via GUI

  I have a Solaris operating system-authenticated user.
  To connect via telnet I type sqlplus /, and it works fine.
  I have the SQLPlus client on my PC, and wish to connect to this user (via the SQLPlus GUI).
  I've tried the username, followed by the Unix password, but this does not work.
  Anyone know how I can do this?
  Thanks in advance
  Bob

  Hi,
  When u try to connect by your GUI SQLPLUS, u get connected directly to Oracle by SQLNet (Net8) so the user and password you have to enter in the connection field from GUI SQLPLUS is the oracle user and password and NOT your Unix user and password.
  To create an oracle user :
  sqlplus system/manager
  create user my_user identified by my_password default tablespace TOOLS temporary tablespace TEMP ;
  Fred

• Irregular failure to authenticate OpenDirectory users via password-based ssh

  TL;DR - my Yosemite Open Directory server irregularly fails to properly authenticate users (via password-based ssh). 
  I recently moved an Open Directory server from an Xserve running 10.6 to a new Mini running 10.10.  I archived the OD config on the Xserve and then took it offline.  Then I brought the Mini online using the same hostname/IP address, created a new OD master using the archived configuration.  Everything seemed to work well, however sometimes the server will not authenticate users via password when logging in with ssh/sftp/scp.  This is also true of a few OS X machines that bind to the OD server (i.e. they usually authenticate users properly, but sometimes fail for no discernable reason). 
  The failures are only for password authentication using ssh.  Other mechanisms do not exhibit the auth failures.  For instance, AFP and SMB user auth never fails (with proper credentials).  Nor do users to a FileMaker Server machine that authenticate via the OD server have problems.  Public key based ssh authentication never fails.  Local accounts (non-OD, aka "Local Network Accounts") also do not fail using password-based authentication.
  The failures are irregular.  The only pattern that I can find at all is that sometimes when the failures start happening, they keep happening continuously until...at some point they work properly again.  That is, they may fail from 11:15 am to 2:01 pm, and if so, then all of them fail in that time range.  Sometimes that time range lasts seconds, sometimes it lasts hours.
  The time range failure pattern is host specific.  For instance, if password authentication is failing on the main OD server, authentication may be fine on the other bound machines.  If authentication is failing on one of the bound machines, then it may be fine on all others and fine on the OD server itself.
  The failure pattern does not seem to correlate to any other events or activity on the server (even remotely).  CPU utilization never gets above about 15%.  Memory utilization is similarly very low.  Network traffic is occasionally high, but it does not seem in any way related to the auth failures.  There are not other log messages that occur before or after the failures with any consistency.
  I've been monitoring the auth failures by attempting to login to the OD server and two other bound hosts once per minute so that I can tell when the auth is failing (before getting calls from the users). 
  The adaptive firewall is not running on the OD server.  Nor is any other firewall.
  Below are a comparison of the system.log entries for a failed and successful auth (I've stripped out those lines that are identical in both instances).  The log entries have been sanatized as described.
  Rebooting the OD server does not affect the bound clients' authentication.  Rebooting the OD server is problematic, and I cannot do it often.  When I do, sometimes failures start soon after reboot, and sometimes that don't come back for many hours - again, no discernable pattern.
  If anyone has any ideas what I can do to discover the source of this problem and come up with a solution, I'd very much appreciate it.  Note that I'm aware that I can export all users and group and reconstruct a new, clean OD master, but without the ability to save the passwords, this becomes a large logisitcal problem, and I'm saving it as a last resort (particularly since if it doesn't solve my problem, I will have inconvenienced many users and be right back in the same place).
  Thanks for reading.
  First failure:
      Feb 11 00:00:20 odserver.myorg.gov kdc[67]: TGS-REQ [email protected] from 127.0.0.1:65373 for host/[email protected] [canonicalize, forwardable]
      Feb 11 00:00:20 odserver.myorg.gov opendirectoryd[67268]: GSSAPI Error:  Miscellaneous failure (see text (unable to reach any KDC in realm ODSERVER.MYORG.GOV, tried 2 KDCs (negative cache))
      Feb 11 00:00:20 odserver.myorg.gov sshd[72974]: error: PAM: authentication error for myusername from clienthost.myorg.gov via 10.50.50.50
      Feb 11 00:00:20 odserver.myorg.gov sshd[72974]: Connection closed by 10.50.50.99 [preauth]
  Now successful auth:
      Feb 11 01:03:20 odserver.myorg.gov kdc[67]: TGS-REQ [email protected] from 127.0.0.1:63978 for host/[email protected] [canonicalize, forwardable]
      Feb 11 01:03:20 odserver.myorg.gov kdc[67]: TGS-REQ [email protected] from 127.0.0.1:62346 for ldap/[email protected] [canonicalize, forwardable]
      Feb 11 01:03:20 odserver.myorg.gov sshd[73786]: Accepted keyboard-interactive/pam for myusername from 10.50.50.99 port 53361 ssh2
      Feb 11 01:03:20 odserver.myorg.gov NetAuthSysAgent[73789]: GetStatus: connecting to self not allowed
     Feb 11 01:03:20 odserver.myorg.gov NetAuthSysAgent[73789]: ERROR: AFP_GetServerInfo - connect failed 62
  I've sanitized the entries as follows, replacing...
  My username by myusername
  The ssh source host IP address by 10.50.50.99
  The ssh source hostname by clienthost.myorg.gov
  The server hostname by odserver.myorg.gov
  The server hostname (in caps) by ODSERVER.MYORG.GOV
  The server IP address by 10.50.50.50

  Hello James,
  I have not had a chance to look for the Router configuration document, however, for one of my certificate exams I did configure Authentication Proxy on an IOS router. The config for that lab was:
  aaa new-model
  aaa authentication login default group tacacs+ local
  aaa authorization auth-proxy default group tacacs+ local
  aaa session-id common
  ip auth-proxy name AUTHPROXY http inactivity-time 60
  interface FastEthernet0/0
  ip address 192.168.250.19 255.255.255.0
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  interface FastEthernet0/1
  ip address 192.168.200.120 255.255.255.0
  ip access-group 110 in
  ip nat inside
  ip virtual-reassembly
  ip auth-proxy AUTHPROXY
  duplex auto
  speed auto
  ip route 0.0.0.0 0.0.0.0 192.168.250.1
  ip http server
  ip http authentication aaa
  no ip http secure-server
  ip nat inside source list nat interface FastEthernet0/0 overload
  ip access-list extended nat
  permit ip 192.168.200.0 0.0.0.255 any
  access-list 110 permit ip any any
  tacacs-server host 192.168.250.20
  tacacs-server key cisco123
  end
  Please check if the commands are supported on your router as well.
  If this ws helpful please rate.
  Regards.

• Guest access setting in PI 1.3 via tacacs

  Hello All,
  We are currently deplying the PI 1.3 and we would like to use the guest access via receptionist with TACACS+ (ACS 4.2).
  Evrything is working except when we use ACS for authentication i can not see how to pass the default info and not editable like i can do with local user (prefilled and in grey - disclaimer, profile, duration, where to apply).
  I defintelly do not want that those fields will be choosen by ladies at front desk.
  I did not find any info to do it via tacacs, only to have the role and tasks set correctly in ACS.
  Does somebody have an idea how to solve it?
  I also do not see how to create some templates to be tight to the user?
  Thanks and Regards,
  daniel

  You can explore API for this .API documentation can be accessed via https:///webacs/api/v1.
  look for device inventory API and then apply filter with device type model.
  Regards

• Can't modify users via commadmin or DA after adding services

  after adding the following services
  Authentication Configuration          
  Instant Messaging Service          
  Presence Service
  i cannot modify users via commadmin (string index error -6) or via the DA (save operation failed) nothing in the slapd logs (error or access) - after removing these services i can modify via the DA.
  is this a known bug (or a feature?).
  after modifying, i can re add the services and proceed as normal.
  thanks,
  s7

  you can try what worked for me:
  remove services from user (in amconsole web app http://jes-server/amconsole) -
  login as admin, search specific user, see their services, remove them -
  run your commadmin command - it should work now
  re-add the removed services.

• How do I add a WindowsAD user via the java SDK?

  Post Author: [email protected]
  CA Forum: JAVA
  I have attempted several derivations of this code:
  IPluginMgr boPluginMgr;IPluginInfo boPluginInfo;IInfoObjects boInfoObjects;IInfoObject boNewUser; // Retrieve the user pluginboPluginMgr = iStore.getPluginMgr( );boPluginInfo = boPluginMgr.getPluginInfo("CrystalEnterprise.User");        // Create a new infoobject collectionboInfoObjects = iStore.newInfoObjectCollection( );           // Add a new userboNewUser = boInfoObjects.add(boPluginInfo);
  Any suggestions?

  Post Author: Ted Ueda
  CA Forum: JAVA
  You wouldn't be creating the AD user via code.  You'd have the AD user created automatically when you configure the Windows AD authentication in BusinessObjects Enterprise using the Central Management Console.  Enterprise will connect to AD and create users automatically.Sincerely,Ted Ueda  

• Authenticate windows users via ACS

  Hi,
  Expert insight required for Cisco ACS, Is it possible to authentication windows user via ACS & apply ACL policies over network devices.
  I would appreciate valued inputs.
  Regards,

  Yes, it's possible to authenticate windows users via ACS and push DACL via radius.
  Seems you are looking for DACL. Here is a document that can help you to understand the same
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a9eddc.shtml#user
  Let me know if you need any further help.
  Jatin Katyal
  - Do rate helpful posts -

• Creating users via the admin console

  Hi,
  I'm trying to create a user via the admin console. The user will have to
  authenticate via Membership, and will require a username and password.
  However, when creating the user via the admin console it does not allow you
  to specify a default password (or by using the command line 'ipsadmin create
  user /domain/user.xml', unless there is some XML field specified in the file
  to do that? If so, what is it? Specify an attribute in the
  "iwtAuthMembership-password"?) After creating a user via the console, I
  tried logging in using a blank password and a password the same as the
  username, but neither worked. Is this password set as default to something,
  and if so to what?
  Also, is there some existing means for a user who has already created a
  membership account to change their password? If not, then I guess I will
  have to develop some code to modify the "iwtAuthMembership-password"
  attribute.
  Thanks,
  Mark

  Hi,
  After you have created the user via the console, then the user will be added to a particular role.From the console go that particular domain and then to the role under which the user was created.Then select the Users link you can see the users list.From that list select the user for whom a password is needed,then it will lead you to a screen where you can see a link named Authentication.Expand that link and click on the Membership link there you can enter the username and password for the user

• Same user in tacacs and local database with different privilege

  Hi there,
  i am just not sure if this is correct behavior.
  i am running NX-OS image n5000-uk9.5.1.3.N1.1.bin on the nexus 5020 platform.
  i have configured authorization with tacacs+ on ACS server version 5.2 with fall back to switch local database.
  aaa authentication login default group ACS
  aaa authorization commands default group ACS local
  aaa accounting default group ACS
  a user test with priv 15 is craeted on ACS server, password test2
  everything works fine, until i create the same username on the local database with privilege 0. ( it doesnt matter if the user in local database was created before user in ACS or after )
  e.g.:  
  username test password test1 role priv-0   (note passwords are different for users in both databases)
  after i create the same user in local database with privilege 0,
  if i try to connect to the switch with this username test and password defined on ACS,  i get only privilege 0 authorization, regardless, that ACS server is up and it should be primary way to authenticate and authorizate the user.
  is this normal?
  thank you for help...

  Hello.
  Privileges are used with traditional IOS. Privileges are part of "command authorization". Other operating systems (like IOS-XR, Nexus OS , Juniper JunOS) use "role-based authorization" instead of "command authorization".
  So traditional IOS can use the "privilege" attribute but other operating systems can not.
  Although IOS-XR, Nexus, ACE, Juniper  have "roled-based authorization" feature, every single one of them use their particular attributes.
  When I was configuring TACACS with ACE, Juniper and other devices I had to capture the packets to find out what were the particular attributes of ACE, what were the particular attributes of JunOS, etc, etc and to search deeply some hints the documentation , because sadly  documentation is not very good when talking about TACACS details.
  If you find which attributes to use, and what values to assign to the attributes then you can go to ACS and configure a "Shell Profile".
  Now back to Nexus 5000. It seems this particular device has the option to mix "role-based" with "command authorization" by overriding the default roles with other roles which names are called "priv". It seems this was an effort to try to map the old concept of "privileges" to the new concept of "roles". Although you see the word "priv", it's just the name of the role. My particular point of view is that this complicates the whole thing. I would recommend to use just the default roles, or customize some of them (only if needed), but not to use "command authorization".
  http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/security/502_n1_1/Cisco_n5k_security_config_gd_rel_502_n1_1_chapter5.html
  I will search the particular attributes Nexus use to talk to TACACS server. If I got them I will post them here.
  Please rate if it helps

• Authenticating IMS 5.2 user passwords against another LDAP

  hi,
  Am currently authenticating IMS 5.2 against IDS 5.1.
  Is it possible to authencticate IMS 5.2 users passwords agains another LDAP server just for logins?
  The rest of the user mail attributes still remains on IDS5.1 for mail delivery...etc
  What would be the requirements from the other LDAP server to return to the user in order to log in to messenger express/pop/imap/smtp?
  how would the http session id be returned to the user via the IMS?
  thank you

  Thanks Jay...
  I did the following:
  $ ./configutil -o store.defaultmailboxquota -v 10485760
  Now, I think I read somewhere you have said it is required to restart...
  Would it suffice to just refresh the cache with the following command?
  ./imsimta restart dispatcher
  Thanks as always for your support.

• SharePoint 2013 and Windows authentication (integrated) or SharePoint user for report data source

  Hello,
  I am having issues creating report datasource in "Windows authentication (integrated) or SharePoint user" in SharePoint 2013. I followed the steps mentioned in the link http://blogs.msdn.com/b/psssql/archive/2014/04/28/sharepoint-adventures-using-claims-with-reporting-services.aspx.
  I am just stuck in the delegation piece here. I have a SSAS instance by name "XXXXAPPV01\Multidimensional". First thing is what is the procedure to set SPN for this instance? I need to add this service in the delegation tab so that C2WTS service
  configured correctly.
  Nothing but I should be able to access my SSAS 2012 cube from SSRS 2012 by "Windows authentication (integrated) or SharePoint user" as the authentication method.
  Palash

  I used the below command to set SPN for analysis services.
  setspn -S MSOLAPSvc.3/XXXXAPPV01APPV01.xxxxdmo.local:Multidimensional xxxxdmo\svcMyService
  After setting the SPN for this service account I added this account(xxxxdmo\svcMyService) in the delegation tab of my domain account created earlier for claim service (xxxxdmo\svcC2WTS). Now in service type it shows -> MSOLAPSvc.3, User or Computer it shows
  -> XXXXAPPV01APPV01.xxxxdmo.local and in Port it shows -> Multidimensional. This is in my svcC2WTS account delegation tab. Still I am not able to connect datasource by "Windows authentication(integrated) or SharePoint User". I am getting the
  same error "Cannot convert claims identity to windows token".
  I am not sure what am I missing in this configuration piece yet to get this working.
  Palash

• "Authentication failed. User is already authenticated as a different user."

  Hello,
  Initially I was not able to log into the Visual Admin. When I logged into the Visual Admin, I got authenication failed. I reset the password of Administrator in the User Administration on the portal. Now I can log into the Visual Admin using the password I just changed on the portal .
  I am not able to logon to the portal using "Administrator". I get this message: "Authentication failed. User is already authenticated as a different user."
  The URL is somewhat different as this is a production portal: "http://host.com/sld" (/irj/portal)
  Does any one have a clue.
  Thanks
  Srinivas

  There were no relevant roles assigned.