Configure Nexus 7k for TACACS in Cisco ACS

Similar Messages

• Configure Nexus 5548 for native FC

  hi
  does anyone have steps on how to configure n5k for native fc to a storage controller and then map that to an interface running fcoe to a fabric interconnect say 6200 ?
  appreciate any pointers

  I hope this helps. For integrating UCS in FC NPV mode, you need to enable NPIV on the N5k (feature NPIV)
  Fiber Channel (FC) Ports on Nexus 5000
  Cisco Nexus 5000 is a Cisco Data Center switch platform that supports conventional Ethernet, Storage Area Network (SAN) and Fiber Channel over Ethernet (FCoE). The switch platform has support for connection directly to native Fiber Channel (FC) SAN network with its FC ports. This is needed at least for now as most of customers' storages are still using FC or are behind FC network.
  This post will look at specifically on how to enable FC ports on Nexus 5500 (Nexus 5548UP and Nexus 5596UP) when we need to connect and integrate to FC network. In addition to that, we will look at some of the rules or restrictions that are worth to note based on the current hardware implementation when allocating ports on the switch for FC.
  Cisco Nexus 5548UP and Nexus 5596UP are Unified Fabric switches that have 32 and 48 Fixed SFP+ ports, respectively. This fixed or built-in ports are unified ports which means that each of the ports can be used for conventional Ethernet, FCoE or FC. Out of the box, all of the 32 or 48 ports are "Ethernet" port type. As the name implies, with this port type, the port are ready for us to be used as conventional Ethernet port or for FCoE. Remember that FCoE is basically transporting FC traffic over Ethernet, so we need "Ethernet" port type for FCoE.
  In that case, what if we need to use some of the built-in ports for FC?
  To use some of the ports as FC ports, we need to change the port type of the port(s) that we intent to use for FC connection. Here's an example of commands to change port type on the switch:
  N5K(config)#slot 1
  N5K(config-port)#port 41-48 type fc
  N5K(config-port)#copy running-config startup-config
  N5K(config-port)#Reload
  As the above command example, we change ports 31 and 32 from the default "Ethernet" to "FC" type. Similarly, to convert back from FC to Ethernet port type:
  N5K(config)#slot 1
  N5K(config-port)#port 41-48 type ethernet
  N5K(config-port)#copy running-config startup-config
  N5K(config-port)#Reload
  Note: Refer to this Cisco's Command Reference document for further detail of this command: http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/command/reference/layer2/n5k-l2_cmds_p.html#wp2326019
  You might surprise that there's a reload command in the end? Yes, you need to reload the entire switch to convert  port type. So...one of the important notes here is that, as much as possible, convert the ports before the switch is in production.
  After the port type has been changed from Ethernet to FC, the FC port will not be enabled on the switch until FCOE feature is enabled:
  N5K(config)#feature FCOE
  C license checked out successfully
  fc_plugin extracted successfully
  FC plugin loaded successfully
  FCoE manager enabled successfully
  FC enabled on all modules successfully
  Enabled FCoE QoS policies successfully
  After that, we verify that the port type is changed successfully and the FC ports appear on the switch:
  N5K# show interface brief
  Interface  Vsan   Admin  Admin   Status          SFP    Oper  Oper   Port
                    Mode   Trunk                          Mode  Speed  Channel
                           Mode                                 (Gbps)
  fc1/41     1      auto   on      sfpAbsent        --     --           --
  fc1/42     1      auto   on      sfpAbsent        --     --           --
  fc1/43     1      auto   on      sfpAbsent        --     --           --
  fc1/44     1      auto   on      sfpAbsent        --     --           --
  fc1/45     1      auto   on      sfpAbsent        --     --           --
  fc1/46     1      auto   on      sfpAbsent        --     --           --
  fc1/47     1      auto   on      sfpAbsent        --     --           --
  fc1/48     1      auto   on      sfpAbsent        --     --           --
  Ethernet      VLAN    Type Mode   Status  Reason                   Speed     Port
  Interface                                                                    Ch #
  Eth1/1        1       eth  trunk  down    SFP validation failed       10G(D) 22
  Eth1/2        1       eth  access down    SFP not inserted            10G(D) --
  Eth1/3        1       eth  trunk  down    SFP validation failed       10G(D) 32
  Eth1/4        1       eth  access down    SFP not inserted            10G(D) --
  Besides the fixed ports, each of the switch model have slot for expansion module for increasing the port density. The number of slot is 1 for Nexus 5548UP and 3 for 5596UP. For supporting FC, the following modules are available to choose from:
  - Fibre Channel plus Ethernet module that provides eight Ethernet port and eight native Fibre Channel ports.
     The first 8 ports of this module is Ethernet port and the remaining 8 ports are FC ports. The location of  Ethernet and FC ports are indicated with different colors.
  http://3.bp.blogspot.com/-46A5Xu-iy3g/UALOGhdiW-I/AAAAAAAAAF4/DuhCP59VX54/s1600/Nexus+5000+-+Module2.PNG
  - Unified port module that provides up to sixteen Ethernet ports OR up to sixteen native Fibre Channel ports
     This is unified port, similar to the fixed or built-in ports whereby it's up to us to use the ports either for  Ethernet or FC. Probably you only want to use some of the ports or even the entire module for FC.
  http://4.bp.blogspot.com/-f95sJ9tsntM/UALOPrUXNpI/AAAAAAAAAGA/M4VA-C2Yh3U/s1600/Nexus+5000+-+Module3.PNG

• Configuring Nexus 5k for SAN switching between UCS 6100s and NetApp storage

  We are trying to get our UCS environment setup to do SAN boot to LUNs on our NetApp storage. We have a pair of Nexus 5Ks with the Enterprise / SAN license on them and the 6-port FC module installed. What needs to be done to configure the Nexus 5000 to operate as the SAN switch between the storage target and the UCS environment?

  I'm still not seeing the LUN on the NetApp device from my service profile. Here are the outputs from the two
  commands you referenced here along with a few other commands if they help at all.
  Port fc2/1 is the conneciton to the UCS 6100 with FCID 0x640004 being the vHBA in my Server profile.
  Port fc2/5 is the NetApp target. I have the LUN masked to the vHBA port name 20:00:00:25:b5:01:00:ff
  I have just the wwpn from the vHBA in my server profile and the wwpn of the NetApp target port zoned together. I'm not seeing any FC traffic at the NetApp though from looking at the statistics. Do I need to include something else in my zoning?
  Again, any assistance would be appreciated. This is obviously our first venture into FC...

• Cisco ACS (TACACS+) - AAA failure on WLC

  Setting up TACACS+ between Cisco ACS and 4402 WLC using the below configuration guide.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml#add-authorizserv
  Authenication is failing on the WLC. Currently getting the below error message on the Cisco ACS server (Reports and activity > failed attempts)
  Message Type: Author Failed
  Author-Failure-Code: Service denied
  Author-Data: service=ciscowlc protocol=common
  Anybody have any idea to resolve this problem.
  Thanks,
  Colm

  Hi,
  The document you referred is correct.
  What version of WLC are you running?
  Check this one:
  CSCsk21007    WLC requires tacacs authentication when configuration change ccess Control
  HTH
  Regards,
  JK
  Plz rate helpful posts-

• TACACS for AAA on Cisco Switch

  I have configured our switches for TACACS authentication however it does not seem to be working. I know it is trying as if I remove the secondary login option (local) I am denied access completely but I see no log on the ACS server. Any ideas?, oh and this is going across an any to any VPN

  Can you log into your switch, and turn on the debug aaa authentication, and debug tacacs.
  Then go ahead and issue a test aaa group.. command to test the authentication, do you see it timing out? Are you using a source interface for this traffic? is that source interface inside the lan to lan intersting traffic?

• Configuring TACACS in non-ACS mode on CSM

  we are trying to configure CSM to use TACACS in non-ACS mode to just use the authetication. But we cannot get CSM to see the ACS server to verify the ID and password at login. Is there a trick to getting this to work. We do not want to turn on full ACS as there is not backdoor to login if the server is not available.

  Hi,
  The major difference between the enable password and the enable secret password is that the encrypted enable password uses a reversible cryptographic function and the plain-text password can be recovered using the encrypted password. The enable secret password, however, uses a non-reversible cryptographic function.
  The only time the enable password is used is if the enable secret password is disabled (or you are using an old image that does not support the enable secret password).
  Therefore, it should be perfectly safe for you to remove the enable password. You will not get locked out of the switch as long as you know the enable secret password.
  Hope that helps - pls rate the post if it does.
  Paresh

• Cisco ACS 4.2 Replication No Synchronization Partner

  I have two ACS 4.2 configured as expected for replication but Primary ACS does not show any synchronization partner either on the left or right. The Secondary ACS does have synchronization partner listed. What could be the reason for this?

  This has been resolved

• Configuring Cisco ACS 5.1 with Juniper Netscreen Firewall wit Radius & Tacacs+

  Hello,
  Can anybody tell me the step-by-step configuration of Cisco ACS 5.1, to configured it with Juniper Netscreen Firewall for radius & tacacs+ authentication and authorization?
  I am able to configure this with Cisco ACS 4.2 with customise VSA file but can't understand how to configure it on ACS 5.1.
  Thanks in Advance.

  Hi Eduardo,
  Can you tell me how to map ACS 4.2?
  service=junos-exec
  local-user-name=Engineering
  Into the new "shell profiles" on ACS 5.2? How do I verify these attributes are passed onto ACS 5.2? I don't have access to a sniffer or tap nor do I have writes on this box. I have to instruct our systems folks to investigate. It has been a back and forth battle.
  Also, I'd like to see where I'd map this on ACS 5.2.  Keep in mind in both cases I have a JUNOS config mapping to a login user Engineer and operations respectively.
  local-user-name=opertions
  allow-commands=((^ping *)|(^mtrace *)|(^traceroute *)|(^monitor *))
  deny-commands= ((^start *)|(^file delete *)|(^file rename *)|(^request *)|(^set cli restart-on-upgrade *)|(^set cli prompt *)|(^set chassis *)|(^set date *)|(^test *)|(^clear *)|(^op *))

• RSA SecurID and Cisco ACS integration for user(s) with enable mode

  I thought I had this problem figured out but I guess not.
  I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
  router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
  I use tacacs+ authentication for logging into the Cisco router
  such as telnet and ssh. In the ACS I use "external user databases"
  for authentication which proxy the request from the ACS over
  to the RSA SecurID Server. I installed RSA Agents with
  sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
  to be "RSA_SecurID" group. In the "External user databases" and
  "database configurations" I assign SecurID to this "RSA_SecurID"
  group.
  Everything is working fine. In the "User Setup" I can see dynamic
  user test1, test2,...testn listed in there as "dynamic users". In
  other words, I can telnet into the router with my two-factor
  SecurID.
  The problem is that if test1 wants to go into "enable" mode with
  SecurID login, I have to go into "test1" user setting and select
  "TACACS+Enable Password" and choose "Use external database password".
  After that, test1 can go into enable mode with his/her SecurID
  credential.
  Well, this works fine if I have a few users. The problem is that
  I have about 100 users that I need to do this. The solution is
  clearly not scalable. Is there a setting from group level that
  I can do this?
  Any ACS "experts" want to help me out here? Thanks.

  That is not what I want. I want user "test1" to be able to do this:
  C
  Username: test1
  Enter PASSCODE:
  C2960>en
  Enter PASSCODE:
  C2960#
  In other words, test1 user has to type in his/her RSA token password to get
  into exec mode. After that, he/she has to use the RSA token password to
  get into enable mode. Each user can get into "enable" mode with his/her
  RSA token mode.
  The way you descripbed, it seemed like anyone in this group can go directly
  into enable mode without password. This is not what I have in mind.
  Any other ideas? Thanks.

• Cisco ACS 5.1 Tacacs with Juniper Srx 210

  Hi all,
  I am trying to do authentication for Juniper SRX 210 FW With Cisco ACS 5.1 Tacacs but I am unable to acheive it ..
  Can any one help me how to add Junos service in ACS 5.1..How to Intergarte Juniper SRX 210 in Cisco ACS 5.1

  Hello Pranav
  As Nicolas said, you really need to know what attributes Juniper SRX is using. It also depends on what you're looking for, for example it's very different "password authentication" from "command authorization". I answered a similar question here https://supportforums.cisco.com/thread/2111466
  You don't need to enable any new service. ACS is capable to attend any TACACS (or RADIUS) device as long as you tell ACS what are the TACACS (or RADIUS) attributes needed for that device.
  This is an example in which I have configured ACS 5.x with an attribute called "local-user-name" which JunOS router use for authentication. For that you need to go to "Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles".
  If you don't know the attributes you can capture the packets and troubleshoot from Juniper cli and from "ACS view" side. That's how I find out the "local-user-name" attribute.
  Please rate if it helps. Kind regards

• Cisco ACS Server Tacacs Based on LDAP AND Source IP Possible???

  Hi All,
  I have used Cisco ACS tacacs for authentication based on Active Directory. Is it possible to use Active Directory as a criteria for authentication AND source IP?
  For example, if someone wants to log in to a certain device... they must have correct credentials AND their IP must be sourcing from the acceptable subnet range.
  Thanks!

  I see your point. This will depend if the user's IP is provided in the authentication request, if this information is provided then you can use the feature called "End Station Filter". This feature is used as a Condition in the Access Policy to deny or allow access. Below are the steps:
  1. Create a End Station Filter, here configure the user's IP
  2. Customize your Conditions under Access Policies/Authorization to use End Station Filter
  3. Define your rule with the required result

• Juniper SSG and Cisco ACS v5.x Configuration

  I searched for a long time unsuccessfully trying to find a resolution to my SSG320M and Cisco ACS v5.x TACACS dilemma.  I finally got it working in my network, so I'm posting the resolution here in case anyone else is looking.
  Configure the Juniper (CLI)
    1. Add the Cisco ACS and TACACS+ configuration
       set auth-server CiscoACSv5 id 1
       set auth-server CiscoACSv5 server-name 192.168.1.100
       set auth-server CiscoACSv5 account-type admin
       set auth-server CiscoACSv5 type tacacs
       set auth-server CiscoACSv5 tacacs secret CiscoACSv5
       set auth-server CiscoACSv5 tacacs port 49
       set admin auth server CiscoACSv5
       set admin auth remote primary
       set admin auth remote root
       set admin privilege get-external
  Configure the Cisco ACS v5.x (GUI)
    1. Navigate to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles
          Create the Juniper Shell Profile.
          Click the [Create] button at the bottom of the page
                  Select the General tab
                          Name:    Juniper
                          Description:  Custom Attributes for Juniper SSG320M
                  Select the Custom Attributes tab
                      Add the vsys attribute:
                          Attribute:                vsys
                          Requirement:       Manadatory
                          Value:                    root
                          Click the [Add^] button above the Attribute field
                      Add the privilege attribute:
                          Attribute:                privilege
                          Requirement:       Manadatory
                          Value:                    root
                                  Note: you can also use 'read-write' but then local admin doesn't work correctly
                          Click the [Add^] button above the Attribute field
                  Click the [Submit] button at the bottom of the page
  2. Navigate to Access Policies > Access Services > Default Device Admin > Authorization
          Create the Juniper Authorization Policy and filter by Device IP Address.
          Click the [Customize] button at the bottom Right of the page
                  Under Customize Conditions, select Device IP Address from the left window
                          Click the [>] button to add it
                  Click the [OK] button to close the window
                  Click the [Create] button at the bottom of the page to create a new rule
                          Under General, name the new rule Juniper, and ensure it is Enabled
                          Under Conditions, check the box next to Device IP Address
                                  Enter the ip address of the Juniper (192.168.1.100)
                          Under Results, click the [Select] button next to the Shell Profile field
                                  Select 'Juniper' and click the [OK] button
                          Under Results, click the [Select] button below the Command Sets (if used) field
                                  Select 'Permit All' and ensure all other boxes are UNCHECKED
                          Click the [OK] button to close the window
                  Click the [OK] button at the bottom of the page to close the window
                  Check the box next to the Juniper policy, then move the policy to the top of the list
                  Click the [Save Changes] button at the bottom of the page
  3.  Login to the Juniper CLI and GUI, and attempt to change something to verify privilege level.

  Cisco Prime LMS is not designed to manage appliances like the ACS. ACS is not on the LMS supported device list and I would doubt that it would be as LMS's functions are mostly not applicable to the appliance or software running on it.
  You can use ACS as an authentication source for LMS, but authorization is still role-based according to the local accounts on the LMS server.

• Migrating from Linux based Tacacs+ server to Cisco ACS 1113 appliance

  I'm trying to migrate my configuration from a Linux based Tacacs+ server to the Cisco ACS 1113 appliance. Does anyone have any recommendations.
  Thanks.

  Hi
  We (extraxi) offer migration and general consultancy for ACS if you need professional help.
  www.extraxi.com/contact.htm

• Cisco acs 4.2 for bandwidth management

  hi sir ,
  I have a problem with my cisco acs 4.2. I have a cisco asa 5510 which is AAA client for my acs 4.2 . I want to limit bandwidth per user ,
  I have tested different radius attribute , but they didnt work ,
  How can i configure this feature ?
  best regards

  Jatin,
  Currently we're using TACACS+ for authentication.  We
  Here's a description of the requirement for 2 factor authentication:
  Id - NET0431
  Vulnerability
  Discussion
  AAA network security services provide the primary framework through which a network administrator can set up access control on
  network points of entry or network access servers, which is usually the function of a router or access server. Authentication identifies a
  user; authorization determines what that user can do; and accounting monitors the network usage. Without AAA, unauthorized users
  may gain access and possibly control of the routers. If the router network is compromised, large portions of the network could be
  incapacitated with only a few commands.Default Finding
  Details
  AAA server does not redirect/call to a two-factor authentication server.
  NET Authentication Access
  Procedure: The implementation varies and a thorough review is necessary. Have the SA review and discuss their
  implementation. A typical AAA process includes the network system redirecting user access requests either directly to an
  ACE/Server or to a CiscoSecure ACS (TACACS+) server which redirects the 'authentication' request to the ACE/Server for
  strong authentication via user tokens (keyfobs). During the review have the SA point out the calls from the TACACS+ or Radius
  servers to the authentication server performing the two-factor requirement
  From my understanding ACS can meet this requirement, I just need some ideas or case studies to see how it how implemented.
  Stephanie

• Cisco ACS for Unix authentication

  My company is looking for a single sign on for all the windows and unix servers mainly for admins. I was wondering if Cisco ACS will work for this.
  Basically the authentication will be all for the servers and routers ofcourse. I am thinking if I specifies windows AD in ACS config,  Can I get the unix boxes to get authenticated against Radius?
  Any help will be appreciated.
  Manny

  Hi,
  Authentication of unix servers  via ACS over radius protocol can be achiveable,check out the below link client end configuration needs to be done for radius authentication
  Hope that helps out your query !!
  http://www.ibm.com/developerworks/library/l-radius/
  Regards
  Ganesh.H