NCS TACACS accounting via ACS

Similar Messages

• Prime NCS: TACACS+ Integration into ACS 5.1

  Hello,
  i'd like to integrate TACACS+ Integration into NCS.
  I configured my ACS 5.1 correctly, but I get an "Access is denied to NCS" at the web login page. In the ACS i see a successful authentication.
  Any ideas?
  regards
  Alex
  Here is my Shell Profile Configuration

  I finally could log in, but not the default Ambassador view.
  Thats really strange. Here is the authorization result from my ACS server.
  {Type=Authorization; Author-Reply-Status=PassAdd; AVPair=role0=Lobby Ambassador; AVPair=task0=GLOBAL; AVPair=task1=Lobby Ambassador User Preferences; AVPair=task2=Basic; AVPair=task3=Configure Guest Users; AVPair=task4=Check License; AVPair=virtual-domain0=ROOT-DOMAIN; }

• Command accounting with ACS

  HOw can I achive command accounting via acs I have configured devices as below but no luck
  aaa accounting exec aaa-list start-stop group bwaaa
  aaa accounting commands 1 aaa-list start-stop group bwaaa
  aaa accounting commands 15 aaa-list start-stop group bwaaa
  aaa accounting system default start-stop group bwaaa
  any idea about it

  Hi, I am using 4.2 version appliance. I am using tacacs+ u can s below config for your reference
  aaa new-model
  aaa group server tacacs+ bwaaa
  server 10.2.6.1
  server 10.2.6.2
  ip tacacs source-interface Vlan1111
  aaa authentication login aaa-list group bwaaa local
  aaa authentication enable default group bwaaa enable
  aaa authorization exec aaa-list group bwaaa local
  aaa accounting exec aaa-list start-stop group bwaaa
  aaa accounting commands 1 aaa-list start-stop group bwaaa
  aaa accounting commands 15 aaa-list start-stop group bwaaa
  aaa accounting system default start-stop group bwaaa
  aaa session-id common
  tacacs-server host 10.2.6.1 timeout 25
  tacacs-server host 10.2.6.2 timeout 25
  tacacs-server timeout 25
  tacacs-server directed-request
  tacacs-server key cisco123

• TACACS+ Accounting "Network Access Profile" name is missing

  Hello,
  I have a problem trying to export logs to the Cisco ACS View from my ACS 4.2
  In the document http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_view/4.0/user/guide/appendixA.html Cisco states that one of the mandatory attributes for export to work is "Network Access Profile Name" under TACACS+ Accounting (under ACS 4.2 System configuration -> Logging settings). Well, I don't have this mandatory attribute listed in ACS under TACACS+ accounting log configuration. I tried to ignore this attribute, but then ACS View complains about null value for the attribute mentioned above.
  Is this some bug in ACS View or ACS or maybe I simply missing something?;)
  Best Regards,
  Igor

  Cisco created a new bug for it:
  CSCtq85420
  Best Regards,
  Igor

• Anyconnect session accounting via radius or syslog ?

  Hi
  Does anyone have a deployed accounting method to log Anyconnect session details ?  Do you do it via a radius server or via logging messages to a syslog server ?
  If so could you assist with appropriate configuration ?  I am looking to log successful and unsuccessful authentications as well as session length, log on and log off times.
  I've been playing around with Anyconnect authenticating to AD via ACS 5.1 but can't seem to get the accounting details I require.  Similarly I have tried to catch appropriate syslog messages but again without much success.
  Many thanks for any input, St.

  What all you have configured for radius accounting on ASA?
  Can you paste the o/p of show run aaa-server and show run tunnel-group
  Basically all you need to define radius server group and call that group under tunnel-group parameters.
  !--- Configure the AAA Server group.
  ciscoasa(config)# aaa-server RAD_SRV_GRP protocol RADIUS
  ciscoasa(config-aaa-server-group)# exit
  !--- Configure the AAA Server.
  ciscoasa(config)# aaa-server RAD_SRV_GRP (inside) host 192.168.1.2
  ciscoasa(config-aaa-server-host)# key secretkey
  ciscoasa(config-aaa-server-host)# exit
  !--- Configure the tunnel group to use the new AAA setup.
  ciscoasa(config)# tunnel-group ExampleGroup1 general-attributes
  ciscoasa(config)#accounting-server-group RAD_SRV_GRP.
  Once done, you can then establish a session and check radius accounting detailed packet on ACS 5.x >> Monitoring and reports > catalog > aaa protocols > radius accounting.
  In case you don't see radius accounting after following the above steps then please turn on the "debug aaa accouting and debug radius on ASA". This way we can check whether ASA is sending the accountinf session details to ACS or not.
  Regards,
  Jatin Katyal
  - Do rate helpful posts -

• 802.1x with AD support via ACS 4

  Hello ,
  I have been trying to configure 802.1x Authentication on a test switch . Authentication will be provided by the ACS server . This worked when I had the client setup for EAP-MD5 and had local user accounts on the ACS server . However this is impractical if we were to deploy this on a large scale. How can i configure 802.1X authentication to occur via the ACS with the ACS looking at the AD database . The trouble is AD does not support EAP-MD5. It supports PEAP but the problem I am having is "EAP-TLS or PEAP authentication failed during SSL handshake "
  Has anyone here setup 802.1x with AD integration via ACS 4.0 . Please help.
  Thanks.
  Karthik

  Hi Karthik,
  The SSL handshake will fail in our experience for any of the following reasons:
  - The supplicant cannot access the private key corresponding to it's certificate - check that the system a/c has pemissions over the private key found in c:\documents and settings\all users\application data\microsoft\crypto\rsa\machine keys
  - The ACS sever does not trust the Root Certificate for the PKI that issued the supplicants certificate - Is the Supplicants Root CA present in the ACS Certificate Trust List?
  - CRL checking is enabled and the CRL has expired or is inaccessible
  If you up the logging levels to full and examine the csauth log closely you should get more detail as to the reason
  Hope that helps
  Andy

• Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)

  Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)
  So I am trying to get TACACS+ auth to work for my ACE.
  The command string that I have on the ACE is as follows:
  tacacs-server host 172.16.101.4 key 7 XXXYYYZZZ timeout 15
  aaa group server tacacs+ tacacs+
    server 172.16.101.4
  aaa authentication login default group tacacs+ local
  aaa authentication login console local
  aaa accounting default group tacacs+ local
  But to finish getting this enabled I need to create some sort of shell (exec) string in the ACS that tells the ACE what permission level to allocate.
  I do not know how to do this on the ACS 5.1.0.44.
  Anyone know?
  TAC made a good suggestion but the command path doesn't seem to line up with my version of ACS.
  Thanks for your reply. About this question:
  shell:<Context>*<Role> <Domain>
  What I meant is that you need to check the following couple of things on
  your ACS server in order to have AAA Tacacs users to login into the
  ACE over the context with superuser ritghts.
  Group setup ‑> users ‑> TACACS + Settings ‑> enable Shell(exec)
  ‑> enable Custom attributes ‑> right below this part you need to
  use the following sintax to link the ACE context that this user
  has access to.
  For example:
  shell:<Context>*<Role> <Domain>
  shell:Admin*Admin default‑domain
  Where this user will have access to the Admin context with the role
  admin using the 'default‑domain'

  Wilfred,
  What you will have to do on your version of ACS is modify the shell profile that your admins are hitting for other IOS devices or you can create another shell profile under Policy Elements -> Device Administration ->
  Once you get into this shell profile select the Custom Attributes tab and put in the following fields close to the bottom of the screen, from the example you provided type shell:Admin for the attribute field and then default-domain for the value field, and make sure you select this requirement as optional, if you select mandatory and other IOS devices use this same shell profile you will force this av pair to these devices also which will impact the priv levels that then need for authentication.
  After you add this attribute, save your changes and then test, also make sure that your Aceess Policy is calling this shell profile under the authorization profile for default device admin.
  Thanks,
  Tarik Admani

• ANM device importing and config sync - user name authenticatiing via ACS

  Good day,
  We have the following issue:
  Switches and ACE modules imported into ANM 3.2. Additional modules added and tried to import. Failed. Tried to sync and recieved the following message for Admin context:
  - Failed to import ACE configuration: Device discovery failed: cannot find the serial number.
  All other contexts also fail to sync.
  Thought this may be due fact that the user Id used for import is and AD account and this authenticates via ACS to AD and this has expired and changed since original import. Deleted chassis and re-impoted with same user Id and new password and all works fine.
  Have checked the links below, however, I don't beleive these will resolve the issue:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/application_networking_manager/3.1/user/guide/UG_manage_devices.html#wp1094120
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/application_networking_manager/3.1/user/guide/UG_manage_devices.html#wp1393377
  I beleive this is occuring due the fact that we are authenticating via ACS to AD for all devices (switches and ACE modules) as well as ANM.
  So is the only solution here to create a static user account in ACS and add to relevent NDG's for switches and ACE modules?
  Also would we have to have the password never expire as I don't see a way to change/configure this password within ANM apart from when the devices are initially imported?
  Any input would be greatly appreciated.
  Thanking you in advance.
  Paul
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}

  Dears
  kindly your help  when i'm trying to import ACE Module i got the following massege .
  - Failed to import ACE configuration: Device discovery failed: cannot find the serial number.
  does any body have a resolutoin for this error ?.
  BR

• Aaa accounting under acs

  Hi
  I use acs 4.1 under "Reports and Activity" -> "TACACS+ Accounting" I can see some start/stop reportings.
  But under "Reports and Activity" -> "TACACS+ Administration" I can't see anything...
  What do I have to configure at least???
  Thanx
  bb

  BB,
  This is a known issue, you need to apply patch ACS 4.1.1.23.5 to fix the issue.
  Patch for appliance is available on
  http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des
  Patch name : ACS SE 4.1.1.23.5 accumulative patch
  Patch for acs windows is availble on
  http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des')">http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des&lt
  Patch Name : ACS 4.1.1.23.5 accumulative patch
  That should fix the issue,
  Regards,
  Jagdeep
  Note: If that answers your question, then please mark this thread as resolved, so that others can benefit from it.

• Regarding Tacacs+ Accounting

  Dear All,
  This is regarding Tacacs+ accounting. We have Cisco ACS server 4.2 for AAA. I want to configure accounting in such a way that I should get the reports containing what are the commands used by user after successfully logged in into the route. Currently I am getting reports containing IN and OUT time , who was the user etc. So what to change if I want all the commands used by user on the router after logged in?
  Thanks,
  Abhisar.

  hi,
  You will have to configure command authorization for that and then the command accounting.
  following link throws some light on it.
  http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mgaccess.html#wp1059882
  Hope this helps.
  Regards,
  Anisha
  P.S.: please mark this post as answered if you feel your query is answered. Do rate helpful posts.

• Tacacs+ accounting log question

  I have a tacacs server running for accounting purpose only (so I use local authentiation). So I can collect all accounting logs only.
  This is a snapshot for accounting part.
  Tacacs accounting logs
  <102> 2014-02-23 10:20:22 [10.254.1.2:22823] 02/23/2014 10:20:22 NAS_IP=10.254.1.x Port=443 rem_addr=10.254.50.129 User= brian Flags=Stop task_id=57 cmd=perfmon interval 10 service=shell elapsed_time=0
  <102> 2014-02-23 10:23:51 [10.254.1.2:58167] 02/23/2014 10:23:51 NAS_IP=10.254.1.x Port=0 rem_addr=10.254.50.129 User=brian Flags=Stop task_id=58 cmd=configure term service=shell elapsed_time=0
  <102> 2014-02-24 07:06:31 [10.254.1.2:19784] 02/24/2014 07:06:31 NAS_IP=10.254.1.x Port=443 rem_addr=10.254.51.166 User=mike Flags=Stop task_id=59 cmd=perfmon interval 10 service=shell elapsed_time=0
  <102> 2014-02-24 07:07:53 [10.254.1.2:19254] 02/24/2014 07:07:53 NAS_IP=10.254.1.x Port=0 rem_addr=10.254.51.166 User=mike Flags=Stop task_id=5a cmd=configure term service=shell elapsed_time=0
  As you can see, I can't see any command lines, such as show int ip b.   I can see all routers and switches logs, but ASA logs shows only like above. No mather what commands I used, it only shows above logs. Do i miss something? I like to capture all commands lines when users use ASDM because we use always ASDM.
  I used Free tacacs+ server, not ACS.
  Thanks for your time.

  Hi Patrick,
  In the ACS View Reports (Monitoring & Reports >     Reports >     Catalog >     AAA Protocol) you can select the
  radio button and by selecting 'Run' on the bottom run a specific query. Without that by default you will see only a report from one day.
  For the 2nd question, yes the ACS View is designed to store that information, however if needed you can send the logs to an external syslog server or perfrom regular backups of the ACS View database.
  Kind regards,
  Pawel

• Console Port accounting on ACS 5.0

  There are 3 profiles made for authentication ,accounting and authorization on the device and called under Line vty 0 4.
  It worked well.The same profiles are called under the console port without authorization profile.The authentication worked with ACS but
  accounting information are not reaching to ACS .What could be the reason.

  ACS=> Monitoring and reports => Reports=>Catalog =>AAA protocol
  There you have Radius and TAcacs accounting ...

• How can a parent restrict a child's access to a PARENT'S PRE-EXSISTING iTunes account via iCloud's Family Sharing Program?

  How can a parent restrict a child's access to a PARENT'S PRE-EXSISTING iTunes account via iCloud's Family Sharing Program?  To explain further... I have a young son who is on my iCloud family sharing program... I am excited to be able to share SOME of my music in my iTunes library, but there are some songs and music videos that are not age appropriate for him and currently there is no way to restrict him from viewing and downloading anything off of my iTunes library.  Yes, I suppose I can delete the songs he shouldn't have access to, but I don't think I should have to do that... I paid for them and still like them and listen to them while I work out or am without my kids.  Is there a way for me to personally select which songs/videos I would like to "hide" from my children in an effort to shield them from inappropriate content?

  Hello ggg39,
  Welcome to the Apple Support Communities!
  I understand that you have some content in your iTunes library that you would like to restrict access for the child set up on Family Sharing with you. To do this, you can set restrictions on the child’s device as described in the attached article. 
  Family Sharing - Apple Support
  Now kids under 13 can have their own Apple IDs. As a parent or legal guardian, the family organizer can create an Apple ID for a child and add the child to the family group automatically. Ask to Buy is turned on by default, and the organizer can also limit the content kids have access to on their devices through Restrictions on an iOS device or parental controls in OS X and iTunes.
  For more information on restrictions and how to set them up, please reference the next attached article. 
  About Restrictions (parental controls) on iPhone, iPad, and iPod touch - Apple Support
  Have a great day,
  Joe

• I synced two of my email accounts via gmail's POP3 thing. But now my iphone's gmail inbox shows a random selection of emails (not most recent ones that are in my inbox). How can I make my iphone inbox match what I see when I log on using a PC?

  I synced two of my email accounts via gmail's POP3 capabilities. But now my iphone's gmail inbox only shows a random selection of emails (i.e. right now it is May 31, 2013 but the emails in my inbox are a couple from Nov 12, a few from Oct 12, and then some way older than that and so on.When I log into my gmail from a computer, I see all my emails in the logical, standard order. How can I make my iphone inbox match what I see when I log on using a PC?

  If you're trying to decide between using POP and IMAP, we encourage you to use IMAP.
  Unlike POP, IMAP offers two-way communication between your web Gmail and your email client. This means when you log in to Gmail using a web browser, actions you perform on email clients and mobile devices (ex: putting mail in a 'work' folder) will instantly and automatically appear in Gmail (ex: it will already have a 'work' label on that email the next time you sign in).
  IMAP also provides a better method to access your mail from multiple devices. If you check your email at work, on your mobile phone, and again at home, IMAP ensures that new mail is accessible from any device at any given time.
  Finally, IMAP offers a more stable experience overall. Whereas POP is prone to losing messages or downloading the same messages multiple times, IMAP avoids this through two-way syncing capabilities between your mail clients and your web Gmail.
  That is from the page that you linked- does highlighted part of message ring a bell?

• How can I add credit to my account via PayPal? I don't have a credit card? Thanks.

  How can I add credit to my account via PayPal? I don't have a credit card? Thanks.

  Open iTunes.  Scroll to the bottom.  Click "Redeem".