Cisco WCS 7.x TACACS+ with ACS 5.2

Similar Messages

• Cisco Works LMS R3.1 with ACS R5.1

  I search on internet about the AAA integration between LMS R3.1 y ACS R5.1, and all the information that I found it's related to ACS R4.1. It's possible to integrate with ACS R5.1.
  Regards and thanks in advanced
  Luis Martinez

  Nael,
  Sorry to batter you, but I was trying to migrate my Cisco Works LMS R3.1 to R3.2 and from the support page of CISCO I just can donwload the following version LMS R3.2.1 (LMS R3.2 service pack 1). I tried to install that version but i got an error that saids "LMS R3.2.1 needs LMS R3.2 installed on the server"
  Could you please tell me where can I download the complete and initial LMS R3.2.
  Thanks in advanced for your kindly help.
  Luis Martinez

• Implementing max user sessions settings for TACACS with ACS 5.3

  I'm a little confused about the configuration of max user sessions for device administration with TACACS.
  When I've changed the configutration of unlimited sessions for a value in Access Policies > Max User Session Policy > Max Session User Settings
  I think this value could limit the maximum number of sessions for each user, but instead this value limit in a global meaning all of my sessions.
  For example: I need to limit the session for my users in 2.
  user1 = Max 2 sessions
  user2 = Max 2 sessions
  user3 = Max 2 sessions
  Whe i Put the value of 2 in Max Session User Settings
  user1 + user2 + user3 = Max 2 sessions
  This is a limitation of ACS 5.3 or my configuration needs something aditional.

  Luis,
  Are you saying that when you authenticate with user1 and user 2 that user3 isnt able to get access?
  Do you have tacacs accounting enabled on the network access device?
  Also what do you have configured for the group settings? If there is a maximum group setting and all the users are a member of the same group then the lesser of the two will be enforced. So if the group max sessions is set to 1 then the all users in that group will have a max session of 1.
  Here is some reference material.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/access_policies.html#wp1162177
  Thanks,
  Tarik Admani

• Using TACACS+ With ACS 5.6 on 300 Series Switches v1.4

  I was wondering if anyone could give me instructions on how to set up ACS for TACACS+ on a 300 series switch using Authorization? I can get it to work to authenticate, but the authorization doesn't seem to work like a catalyst switch. Thanks in advance for any help!

  Brandon, thanks for the link, but this is for the older software before they included authorization (the v1.4). I've looked through a bunch of manuals and tried to find examples online, but it doesn't seem like anyone has anything out there I can find.

• Cisco Administration Best Practice - TACACS+ or RADIUS

  I'm new to cisco and currently building a midsize environment and wanted to know what is the best practices for administration management of cisco equipment?
  Thanks!

  Using TACACS+ with ACS especially gives you all of the AAA's - this is better/best practice for mgmt access to Cisco devices imho.
  Bilal

• Integrating WCS 7.0 with ACS 5.1

  Has anybody got any experience with trying the config as depicted in the WCS 7 config guide?
  I have tried today to integrate WCS 7 with ACS 5.1 and got a partial success.  I have created a unique Shell Profile that invokes for the WCS only which contains 1 role (role0=Root) and 73 task entries (as copied from the WCS group pages) and I can log in to WCS with the new account, but some things I dont appear to have priviledges for, such as Reports.  Is there any way to debug which task WCS thinks I dont have to do this?  Any other ideas?

  Turned on trace in WCS and saw info like this: (abreviated)
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task14 = View Alerts and Events
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task51 = Performance Reports
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task15 = Email Notification
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] rejecting task: task50 = Device Reports                is not a valid task
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task53 = Network Summary Reports
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task16 = Delete and Clear Alerts
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task48 = Mesh Reports
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] rejecting task: task47 = Config Audit Dashboard    is not a valid task
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task42 = Monitor Chokepoints
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task41 = Monitor Security
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task40 = Monitor Tags
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task46 = RRM Dashboard
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task45 = Monitor Interferers
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task44 = Monitor Spectrum Experts
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task43 = Monitor WiFi TDOA Receivers
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding role: role0 = Root
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] Disconnecting from authorization socket  - From Server:  10.9.2.253  - For User:  acstest
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] Total permissions for user acstest : tasks  68 : roles  1 : virtual-domains  0
  all i did was copy and paste in all tasks from the WCS export list???

• Cisco ACS 5.1 & Cisco WLC 5508 & Cisco WCS

  I have managed to get TACACS+ working for the WLC and WCS but having trouble with Radius for management authentication and authorization.
  Anyone got and ideas or good documents on how to authenticate administrators using radius ACS 5.1 for WLC 5508 and WCS 6
  I take it that I still need to define roles?
  Many thanks.
  Jay

  You may try this with radius-ietf under shell-privelege
  For read-write privileges for the user, set the Service-Type Attribute to Administrative.
  For read-only privileges for the user, set the Service-Type Attribute to NAS-Prompt.
  Regards,
  Jatin
  Do rate helpful posts~

• Cisco WCS integration with SNMP based monitoring

  I am looking for a solution to integrate Cisco WCS with any SNMP based monitoring solution.  My requirement is below,
  - Alerts for Access points up/down should be picked up by an alerting system in its console through SNMP.
  - I dont want all access points to be monitored, but only a critical group.
  Currently all access points are configured on LWAP mode under a wireless controller.  Can i configure APs individually for SNMP and get it monitored through the 3rd party monitoring tool.
  Can anyone please guide me to find a solution for this.

  http://www.cisco.com/en/US/docs/wireless/mse/3350/6.0/CAS/configuration/guide/msecg_ch2_CAS.html

• WCS 7.0 with ACS 5.1

  Hi,
  I want to add WCS as a AAA client for authentication with Radius  in my set-up.
  how to configure WCS for the same.
  where are all those options in WCS.
  Please guide me for the same.

  Has anybody got any experience with trying the config as depicted in the WCS 7 config guide?
  I have tried today to integrate WCS 7 with ACS 5.1 and got a partial success.  I have created a unique Shell Profile that invokes for the WCS only which contains 1 role (role0=Root) and 73 task entries (as copied from the WCS group pages) and I can log in to WCS with the new account, but some things I dont appear to have priviledges for, such as Reports.  Is there any way to debug which task WCS thinks I dont have to do this?  Any other ideas?

• Using Cisco WCS with Microsoft IAS

  Hi.
  I have two 5508 and WCS 7.0.172. I want to user Active Directory users credintals to login on ther WCS. Have a configurated NPS role on server with windows 2008 r2.
  I have read this http://zmq503o1.wordpress.com/2008/01/06/using-cisco-wcs-with-microsoft-ias/ and done the same.
  I dont't agree with "on the "Encryption" tab and clear all the checkboxes except "No encryption" - wants an encryption connection but this didn't work till in user's properites in AD permit "Reversible encryption". This is not what that I want.  Would I need to generate ssl-cert for the wcs as wroted this?http://www.cisco.com/en/US/docs/wireless/wcs/7.0MR1/configuration/guide/hard.html#wp1042471
  or doing smth else? thx

  Camera is only supported for use with CUVA. Any other application attempting to utilize the camera is not tested and is not supported.

• Tacacs+ problem with ACS 5.2

  I am new with ACS server 5.2 can someone please help me before I bang my head on the wall. I have configured the ACS server 5.2 but still cannot authenticate users. The router can ping the ACS server. With debugging I got the following error message:
  Switch#
  6d07h: TAC+: Using default tacacs server-group "tacacs+" list.
  6d07h: TAC+: Opening TCP/IP to 110.7.111.8/49 timeout=5
  6d07h: TAC+: TCP/IP open to 110.7.111.8/49 failed -- Connection timed out; remote host not responding
  6d07h: TAC+: Opening TCP/IP to 110.7.111.7/49 timeout=5
  6d07h: TAC+: TCP/IP open to 110.7.111.7/49 failed -- Connection timed out; remote host not responding
  6d07h: TAC+: send AUTHEN/START packet ver=192 id=3004581909
  6d07h: TAC+: Using default tacacs server-group "tacacs+" list.
  6d07h: TAC+: Opening TCP/IP to 110.7.111.8/49 timeout=5
  6d07h: TAC+: TCP/IP open to 110.7.111.8/49 failed -- Connection timed out; remote host not responding
  6d07h: TAC+: Opening TCP/IP to 110.7.111.7/49 timeout=5
  6d07h: TAC+: TCP/IP open to 110.7.111.7/49 failed -- Connection timed out; remote host not responding
  Your kind help will be highly appreciated.

  Did you add the switch as AAA client in ACS box? Make sure you use the correct switch IP when adding it in ACS.
  YOu can go to "monitoring and Report" on ACS to check the log to see what happened.

• Juniper SSG TACACS+ Integration with ACS 5

  Hi,
  I'm working on TACACS+ integration on Juniper SSG firewall with ACS 5, but failed login on the SSG. After checked the log on ACS, it passed the authentication. Do I need to import any dictionary file on the ACS 5 first?
  Please advice,
  Cheers,
  Ryan

  I was able to config SSG authenticate using RADIUS.  In order to work with RADIUS, I have to create RADIUS dictionary using netscreen dictionary found @ Juniper.  Attach the dictionary.
  I'm not sure how to import, but I create the dictionary manually.

• Issue with ACS 4 and AAA. Port scan shows no Radius but does show tacacs

  to start I am new to ACS so if this is an easy issue to solve please forgive me. I am trying to get Authentication working with ACS 4. I setup everything according to the instructions and when I try to test authentication with VPN concentrator I get a No active server found error. I have tried using an Internal user to start and I also have tried an AD account. If I port scan the ACS server I do not see it advertising port 1645 but I do see Port 49 for tacacs and I also see Ports 2000-2002. CSRadius is running.

  Actually, to avoid any issues I made CSRadius listen on BOTH sets of ports :)
  So unless that got changed without my knowing it should be listening on 1645/6 and 1812/3
  Darra

• WCS can't logon to ACS 3.3

  Just fired up a new Windows WCS install and have been trying various optoins to get it to work with ACS (for admin only at this point). I've tried RADIUS (IETF) and tacacs+(Cisco IOS) with various failed attempts logged in ACS. Any ideas what I'm missing?
  thanks

  I've also been trying to use ACS to authenticate users to manage my WCS. I have not been able to make it work either. During my research I found this document which states it is no possible at this time. Not sure what version of ACS or WCS they are referring to.
  http://www.cisco.com/en/US/products/ps6305/products_qanda_item09186a00807a60f0.shtml#apr6
  I am using WCS 4.2.81 and ACS 4.1 (both on different servers) If this is possible I would like to know how I need to configure my ACS server.
  regards,
  cyril

• WLC 4402-50 with ACS 3.3

  Hi,
  We want to use ACS to authenticate an ssh or http connection to a WLC 4403-50 4.2.99 using TACACS+. On our ACS 4.2 test server it works fine. Configured identically on an ACS 3.3 appliance we are not able to log in although we do see a successful login in the Passed Authentications report withing ACS.
  Is there an incompatability between the WLC 4402-50 with ACS 3.3?
  thanks
  Bob

  The Cisco Secure Access Control Server (ACS) provides authentication, authorization, and accounting (AAA) services for users of the wireless network.
  It is also possible to employ a WLC controller strategy that uses an N+1 approach. When using N+1 architecture, each WLC is configured with a WLC that is designated as a backup WLC in the event of a failure. This controller is not used until there is a failure event upon which all APs using the failed controller switch to the backup WLC. This cost-effective approach provides a high level of availability in the event of a single WLC failure scenario.