Prime NCS: TACACS+ Integration into ACS 5.1

Similar Messages

• Juniper SSG TACACS+ Integration with ACS 5

  Hi,
  I'm working on TACACS+ integration on Juniper SSG firewall with ACS 5, but failed login on the SSG. After checked the log on ACS, it passed the authentication. Do I need to import any dictionary file on the ACS 5 first?
  Please advice,
  Cheers,
  Ryan

  I was able to config SSG authenticate using RADIUS.  In order to work with RADIUS, I have to create RADIUS dictionary using netscreen dictionary found @ Juniper.  Attach the dictionary.
  I'm not sure how to import, but I create the dictionary manually.

• NCS TACACS accounting via ACS

  If I choose to authenticate NCS users through Cisco ACS (5.4 in this instance) via TACACS, do I still have the ability to do accounting to track what changes they have made?  I'm not getting anything in the TACACS accounting reports and I don't see anywhere to configure TACACS for accounting within NCS gui like I can on a WLC.  I know that NCS has an internal audit trail but if a users account is both a local account on NCS as well as an account being authenticated through ACS does the Audit trail on NCS for that local user still contain the information about changes the user made?  I ask because it looks like it does but I want to make sure I'm not going mad.  Here is my example:
  Local account username:  NCS_Admin2
  AD account via TACACS username:  NCS_Admin2
  Audit trail for the NCS_Admin2 account on NCS looks like changes are being logged to NCS even though the user is logging in with their AD credentials via TACACS.
  I know that is probably as clear as mud.
  Thanks.
  Todd

  User is authenticated with TACACS
  NCS_Admin2
  NCS.customerdomain.local
  2013-Mar-05, 10:18:30 EST
  2013-Mar-05, 11:22:36 EST
  TACACS+
  Admin 

• LMS PRIME 4.2 integrating with ACS 4.2

  Hello,
  i would like to integrate new lms prime 4.2 with acs.4.2 . .. !!
  is there document or user guide for this version of lms?
  Thanks in advance.
  Marwan

  IN LMS 4.2 there is nothing which is known as Integration (like LMS 3.x), since it added feature RBAC.
  Now ACS can just be used as PAM to have ciscoworks authenticated for Tacacs+ or Radius. After the auth is done, you should have a authorization set in LMS locally for user, else it will be given a default HELP DESK access.
  For more details check :
  Authentication Using Login Modules - Overview
  -Thanks

• Cisco Prime NCS integration with ACS 5.1

  Hello,
  We've an issue with authorization on NCS system. NCS successfully integrated witch ACS, but there is a problem with one user. All users have equivalent rights under root. There is shell profile with all possible tasks (exported from NCS server) configured on ACS. All users exept this one (unlucky one:)) authorizes successfully.  In  ACS logs, authentification and authorization status for this user is passed and all attributes (policy, profile, AV-pairs e.t.c.) is the same as for another users. This 'unlucky' user gets a following message:
  There is surely no browser or network issue. Tried from different PCs with same result. There is no any local info related to this username on the NCS server. When i change one charecter in the username on his ACS account, everything works well. What could be a possible reason of this behaivour?  Thanks!
  Our ACS v
  Version 5.1.0.44.X
  And NCS
  Version : 1.1.2.X

  this question should be moved to the Security > AAA forums as this sounds more like an ACS issue than NCS.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• LMS 3.1 Slow after integrating with ACS

  Dear All, have any one faced issue of slowness after integrating LMS3.1 with ACS4.2. I dont know how can I resolve this issue. Is there any patch to resolve it...
  Any kind of help will be very helpful.

  I'm using LMS 3.2 into ACS 4.0 and it actually seemed a bit faster after ACS integration. Nothing I measured but subjectively it seems faster. Both my servers are on Windows and the ACS is across the WAN from my CiscoWorks.
  How do your devices fare with their ACS? You can debug tacacs at the router/switch level as one tool. I'm sure one of the cisco guys on here will point you to one of the many logs that LMS generates, possibly with debugging activated, to dig deeper there also.

• Cisco Prime NCS 1.3

  I am running Cisco Prime NCS 1.3 and I have two questions that I hope someone can help me out with. 
  Question 1). Is it possible to forward the Rogue Device Logs back to our SIEM server? If so how?
  Question 2). How do I setup the Mail Server Configuration? The part I am stuck on the is the Primary SMTP server.  For the username and password don't know what username and password I should use. Should I use the account I am logged into NCS prime ?
  Thanks for any help or input.
  Weiss

  Weiss,
  Re your first question. Prime itself cannot forward syslogs messages it receives. You may need to setup your wireless controller to use a secondary syslog server as your SIEM server.
  Re the second, username and password is optional and only used when your mail server does not allow unauthenticated users from relaying mail.
  If it allows that, you can leave those fields blank.
  If it does require authentication, you should have a service account created on the smtp server for use by Prime when sending outgoing mail.

• Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)

  Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)
  So I am trying to get TACACS+ auth to work for my ACE.
  The command string that I have on the ACE is as follows:
  tacacs-server host 172.16.101.4 key 7 XXXYYYZZZ timeout 15
  aaa group server tacacs+ tacacs+
    server 172.16.101.4
  aaa authentication login default group tacacs+ local
  aaa authentication login console local
  aaa accounting default group tacacs+ local
  But to finish getting this enabled I need to create some sort of shell (exec) string in the ACS that tells the ACE what permission level to allocate.
  I do not know how to do this on the ACS 5.1.0.44.
  Anyone know?
  TAC made a good suggestion but the command path doesn't seem to line up with my version of ACS.
  Thanks for your reply. About this question:
  shell:<Context>*<Role> <Domain>
  What I meant is that you need to check the following couple of things on
  your ACS server in order to have AAA Tacacs users to login into the
  ACE over the context with superuser ritghts.
  Group setup ‑> users ‑> TACACS + Settings ‑> enable Shell(exec)
  ‑> enable Custom attributes ‑> right below this part you need to
  use the following sintax to link the ACE context that this user
  has access to.
  For example:
  shell:<Context>*<Role> <Domain>
  shell:Admin*Admin default‑domain
  Where this user will have access to the Admin context with the role
  admin using the 'default‑domain'

  Wilfred,
  What you will have to do on your version of ACS is modify the shell profile that your admins are hitting for other IOS devices or you can create another shell profile under Policy Elements -> Device Administration ->
  Once you get into this shell profile select the Custom Attributes tab and put in the following fields close to the bottom of the screen, from the example you provided type shell:Admin for the attribute field and then default-domain for the value field, and make sure you select this requirement as optional, if you select mandatory and other IOS devices use this same shell profile you will force this av pair to these devices also which will impact the priv levels that then need for authentication.
  After you add this attribute, save your changes and then test, also make sure that your Aceess Policy is calling this shell profile under the authorization profile for default device admin.
  Thanks,
  Tarik Admani

• All the devices not showing after CSM integration with ACS

  Hi all
  I integrated ACS with CSM and added all the security devices into ACS as client devices.But after integration with with ACS only few devices are shown in the CSM when i logged in as super admin.for all other users (system admin,network operator etc.),no devices are shown in the CSM.Please give me a solution to solve this.

  Did you have devices already in CSM when you integrated it into ACS ? Did you make sure that the hostname of the devices is exactly the same in acs and csm ?

• Integrated CSM + ACS - DCR Device Wizard

  Hi there,
  I've integrated CSM v3.3.1 into ACS v4.1.4 within Common Services/AAA Setup and setup a Bulk Import of Devices from ACS into Common Services.  Have also setup default device credentials.
  This seems to be working fine, in that I can login to CSM using credentials from ACS and the CSM Device and Credentials list shows all my network devices imported from ACS.
  Again I've logged into the CSM Client using credentials from ACS but I don't seem to be able to "Add Devices From DCR", the only option I have is to import from an export file from DCR.   The problem here is that the export file contains all the default device credentials which I don't want users to know.
  Have I missed something?
  BAsed on the User Guide I'm expecting there to be an "Add Devices From DCR Wizard".
  Thanks
  Michael

  OK,
  I have got to the bottom of this now.
  I was reading the CSM 3.1 User Guide which I'd downloaded in the past, assuming that Cisco wouldn't remove a feature in a later release, just add/improve/fix features.
  Obviously not, having downloaded the CSM 3.3 User Guide it is obvious that the "Add Devices from DCR" option has been replaced with "Add Devices from File".
  To double-check this I've done a clean install of CSM 3.1 and the different outputs from the client showing the change are attached.
  The function does still exist in Performance Monitor however.....
  Therefore the only options are to either:
  Export the devices/credentials from DCR and import into CSM
  Means that people with access to the server (e.g. IT Department) have potential access to the export files containing master device credentials of firewalls which obviously is no use in a secure environment 
  Have the firewall/security administrators manually add each device to CSM supplying necessary credentials
  This is OK to an extent, except that we are trying to maintain a secure environment with "role seperation" and traceable named accounts, hence the integration to ACS.
  Rather than being able to set a complex "default credential" once which would then be destroyed/forgotton, this now means that the Firewall/Security administrator needs to know the master/generic admin account which is used by CSM to access the devices, which he/she could use instead of their named ACS account!
  None of this is very "secure" for a supposed security product
  Is there a way to re-instate the "Add Devices from DCR" option in client versions CSM 3.2+ ?
  Is there a way to set "default credentials" in CSM like you can in Common Services, so that administrators don't need to know them (e.g. have them written down) so they can be set each time a device is added ?
  Thanks
  Mike

• Ftp not working on Prime NCS

  OK, I have a customer whom we are migrating from WCS to Prime Infrastructure 1.3. As I understand it, I need NCS in the middle to migrate from WCS >> NCS >> PI1.3.
  I have Prime NCS running, I followed instructions:
  http://www.cisco.com/en/US/partner/docs/wireless/ncs/1.1/release/notes/NCS_RN1.1.1.html#wp298425
  http://www.cisco.com/en/US/docs/wireless/ncs/1.1/configuration/guide/tasks.html#wp1215225
  When I try and connect to the NCS server via ftp using Filezilla or WS-FTP with username/ftp-user & password/ftp-user I get the following:
  Status:          Connecting to 10.160.17.89:21...
  Status:          Connection attempt failed with "ECONNREFUSED - Connection refused by server".
  Error:          Could not connect to server
  Status:          Waiting to retry...
  Status:          Delaying connection for 1 second due to previously failed connection attempt...
  Status:          Connecting to 10.160.17.89:21...
  Status:          Connection attempt failed with "ECONNREFUSED - Connection refused by server".
  Error:          Could not connect to server
  Status:          Connecting to 10.160.17.89:21...
  Status:          Connection attempt failed with "ECONNREFUSED - Connection refused by server".
  Error:          Could not connect to server
  Status:          Waiting to retry...
  Status:          Connecting to 10.160.17.89:21...
  Status:          Connection attempt failed with "ECONNREFUSED - Connection refused by server".
  Error:          Could not connect to server
  Status:          Connecting to 10.160.17.89:21...
  Status:          Connection attempt failed with "ECONNREFUSED - Connection refused by server".
  Error:          Could not connect to server
  Status:          Waiting to retry...
  Status:          Delaying connection for 1 second due to previously failed connection attempt...
  Status:          Connecting to 10.160.17.89:21...
  Status:          Connection attempt failed with "ECONNREFUSED - Connection refused by server".
  Error:          Could not connect to server
  Status:          Connecting to 10.160.17.89:21...
  Status:          Connection attempt failed with "ECONNREFUSED - Connection refused by server".
  Error:          Could not connect to server
  Status:          Waiting to retry...
  Status:          Delaying connection for 1 second due to previously failed connection attempt...
  Status:          Connecting to 10.160.17.89:21...
  Status:          Connection attempt failed with "ECONNREFUSED - Connection refused by server".
  Error:          Could not connect to server
  Status:          Connecting to 10.160.17.89...
  Response:          fzSftp started
  Command:          open "[email protected]" 22
  Command:          Pass: ********
  Error:          Authentication failed.
  Error:          Critical error
  Error:          Could not connect to server
  Status:          Connecting to 10.160.17.89...
  Response:          fzSftp started
  Command:          open "[email protected]" 22
  Command:          Pass: ********
  Error:          Authentication failed.
  Error:          Critical error
  Error:          Could not connect to server
  Status:          Connecting to 10.160.17.89...
  Response:          fzSftp started
  Command:          open "[email protected]" 22
  Command:          Pass: ********
  Error:          Authentication failed.
  Error:          Critical error
  Error:          Could not connect to server
  Status:          Connecting to 10.160.17.89:21...
  Status:          Connection established, waiting for welcome message...
  Response:          220 Service ready for new user
  Command:          USER ftpuser
  Response:          331 User name okay, need password for ftpuser
  Command:          PASS ********
  Response:          530 Access denied
  Error:          Critical error
  Error:          Could not connect to server
  Status:          Connecting to 10.160.17.89:21...
  Status:          Connection established, waiting for welcome message...
  Response:          220 Service ready for new user
  Command:          USER ftp-user
  Response:          331 User name okay, need password for ftp-user
  Command:          PASS ********
  Response:          530 Access denied
  Error:          Critical error
  Error:          Could not connect to server
  Status:          Connecting to 10.160.17.89:21...
  Error:          Connection timed out
  Error:          Could not connect to server
  Status:          Waiting to retry...
  Status:          Connecting to 10.160.17.89:21...
  What might i be doing wrong?
  Thanks in advance for your help.

  are you able to ssh or console into the NCS appliance?
  if so, please run an ncs status command to see if all ncs processes are running:::
  also, can you try to launch an MS-DOS or CMD prompt and try to
  ftp xxx.xxx.xxx.xxx
  enter ftp-user for the username
  enter whatever password you think it is.

• Set type problem in sales order integrated into loyalty management

  Hi experts,
  I try to implement the sales order integrated into loyalty management. As notes said, I should use the set type REWARD_PRO_LOY to assign to a hierarchy for loyalty. But when I use this set type in hierarchy, I found I can only assign it when I choose "service" for product type. Then I find in the "REWARD_PRO_LOY" set type, there is a switch tab. In the tab, there is only "services". I don't understand this tab means. I want to assign this set type to "materials" type. I tried to created a new set type with the same attributes, but it seemed not to work. Is anybody can give me some advice to solve the problem?
  Thanks a lot,
  Best Regards,
  Molly Xin

  Hi Molly Xin,
  If you refer to your first screen print, its very evident that the product types with which products be created using this set type includes both "Materials" and Services".
  We have created similar scenario and were able to create products with product type "Materials".
  Pease let me know if you have any issues while creating products with product type "Materials".
  Regards

• Issue with backup NCS via NFS (Cisco Prime NCS 1.2.0)

  Hello,
  Does someone have issue with backup NCS via externally mounted location (NFS)?
  I have Cisco Prime NCS 1.2.0 and tried backup it to external resources, but I have issue with my free space:
  NCS/admin# backup ncs repository backup_nfs
  % Creating backup with timestamped filename: ncs-130131-0534.tar.gpg
  INFO : Cannot configure the backup directory size settings as the free space available is less than the current database size.
  You do not have enough disk space available in your repository to complete this backup.
  DB size is 25 GB
  Available size is 12 GB
  Please refer to the command reference guide for NCS and look at the /backup-staging-url/ command reference to setup the backup repository on an externally mounted location
    Stage 5 of 7: Building backup file ...
    -- complete.
    Stage 6 of 7: Encrypting backup file ...
    -- complete.
    Stage 7 of 7: Transferring backup file ...
    -- complete.
  I have tried to add additional space and use command backup-staging-url (my configuration: backup-staging-url nfs://server2008:/nfs), but it didn't help me.
  NFS share works perfect. I have checked it via NFS repository:
  repository backup_nfs
    url nfs://server2008:/nfs
  +++++++++++++++++++++++++++++++++++++++
  NCS/admin# show repository backup_nfs
  NCS-130130-1135.tar.gpg
  NCS-130130-1137.tar.gpg
  NCS-130130-1157.tar.gpg
  NCS-130130-1158.tar.gpg
  test-130130-1210.tar.gz
  Everytime when I try create backup I receive error message "You do not have enough disk space available in your repository to complete this backup".
  Does someone know how can I backup NCS system?
  Thank you

  How much space is availabe on that NFS mount point? It looks like to me from the error message that there is only 12 GB.... 
  The backup-staging-url is just for a space used to stage the backup before it is written-----

• Adobe flash 11 installs but not integrated into ie8

  I have an XP/32 SP3 system using IE8.  I use the latest Avast, and have realplayer 16.  I temporarily disabled all add-ons today, and subsequently I have been unable to re-enable as the entry has disappeared from the list of add-ons.  I have uninstalled and re-installed IE8, ditto with Adobe Flash using the Adobe Flash removal tool, and then re-installed the latest IE version.  I have used the Flash test option and the screen is just greyed out.  So clearly although there are no error diagnostics during the install, the add-on is not being integrated into IE8.  Hence URLs that require flash show an error.
  All M$ updates uptodate.
  What could I try?

  Thanks for your reply - I did delete the flash/macromed directories as suggested by Adobe prior to the last re-insatll.  Here is a screen grab of the flash directory as now.
  Shockwave is not appearing as an add-on in IE8.

• Problem with Print functionality in the BI reports integrated into portal

  Hi,
  We have some BI reports integrated into portal.and we have a Print button,which is a standard SAP functionality,doesnot work.When we click that print button it takes forever to load the page and print it.
  Please help me in resolving this issue and points will be rewarded for sure
  Bala

  Hi Edward,
  Can you clarify on your statement "You can run 3.x queries normally". I am currently declaring the bex web application string in the BW iview created in this format "infocube=0D_FI_C01&query=0D_FI_C01_Q001" and i am not defining the report template anywhere in the iview properties but still the standard template is displayed.
  Pls let me know how to run 3.x queries normally.
  Also i am trying to integrate only reports which are developed for BW 3.x format in BI system but still the data is not displayed.
  Pls let me know incase the SP level of both EP and BI portal are to be considered for this.
  EP 7 portal is on SP9 where as BI 7 is on sp12.
  Also i noticed the EP portal doesn't have BI Java Addon. will this matter for displaying reports in BW 3.x format.
  As you suggested workaround i tried to create a url iviews directly taking the links from the reports displayed in BI portal , i was able to preview the report but when i added those iview reports to role, the reports are constantly loading as it is trying to contact BI system. There are being loaded constantly with nothing displayed on screen.
  "http://sapbw:50000/irj/servlet/prt/portal/prtroot/pcd!3aportal_content!2fcom.sap.pct!2fplatform_add_ons!2fcom.sap.ip.bi!2fiViews!2fcom.sap.ip.bi.bex?QUERY=0D_PU_C01_Q011&VARIABLE_SCREEN=X&DUMMY=1"
  regards
  Bharat