TACACS Administration issue in Cisco ACS V4.1

Similar Messages

• Issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

• Configure Nexus 7k for TACACS in Cisco ACS

  Hi,
  Please advise on how to configure Cisco Nexus 7k for TACACS to authenticate in Cisco ACS. Our Cisco ACS is getting users from the Active
  Directory.
  Please advise if the below config are acceptable:
  feature tacacs+
  tacacs-server key KEY
  tacacs-server timeout 20
  tacacs-server host 1.1.1.1 key KEY
  aaa group server tacacs+ TEST
      server 1.1.1.1
      use-vrf management
      source-interface mgmt0
  tacacs-server directed-request
  aaa authentication login default group TEST
  aaa authentication login console none
  aaa authorization commands default group TEST
  aaa accounting default group TEST
  aaa authentication login error-enable

  Hi,
  What OS version are u using on your servers?
  Craig

• Migrating from Linux based Tacacs+ server to Cisco ACS 1113 appliance

  I'm trying to migrate my configuration from a Linux based Tacacs+ server to the Cisco ACS 1113 appliance. Does anyone have any recommendations.
  Thanks.

  Hi
  We (extraxi) offer migration and general consultancy for ACS if you need professional help.
  www.extraxi.com/contact.htm

• Cisco ACS 5.2 with NX-OS devices (Nexus) - User issues

  Hey Community, I am having a really strange issue with Cisco ACS 5.2 and NX-OS Nexus Devices.
  I create an account on ACS, let's call it User1, and give it privilege 15. With User1, I'm able to access on all of our IOS, IOS-XE, ASA, and PIX devices with privilege 15.
  When I use that same User1 account into our NEXUS devices, I do NOT get privilege 15 access. As you probably know, NEXUS devices have roles: pre-defined or custom-made roles. So I assumed I would get the role of 'network-admin' (priv 15 read/write) with User1 when logging in, but instead I get the role of 'vdc-operator' (priv 1 read-only).
  So then I tried to tweak User1 and give it network-admin under Shell profile >> Custom Attributes. I logged into the NEXUS and sure enough I was able to get network-admin access. However, my access to ALL the other devices (IOS, ASA, PIX, etc) doesn't work AT ALL! I'm not even able to log in with my username and password to these devices.
  Has anyone ever run into this problem? Please Help!
  Thanks,
  neocec

  Neocec,
  Yes here is the documentation that provides insight to the this (they make reference to the = and the *.
  http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/security/configuration/guide/Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_5.x_chapter6.html#con_1473433
  Thanks,
  Tarik

• Cisco ACS 4.2 TACACS+ Administration report - Help!

  we had some switches mysteriously reloaded.  Upon investigation, TACACS+ Administration report show no user login to the device, no command was issued, and the reason = reload.
  how could this happen?

  Guna,
  Tacacs+ Does not use VSAs.
  Radius uses VSAs.
  This is what I found online:
  http://198.152.212.23/css/P8/documents/100106731
  See if this helps.
  It has an example associated for server configuration.
  In ACS 4, you need to use the shell exec and priv-lvl=<value>.
  (Similar to Cisco IOS)
  Regards
  Ed

• No TACACS+ Administration Reports after upgrade to ACS 4.1

  Hi,
  I was running ACS 4.0 demo version. Everything was running fine.
  After upgrading and keeping the old configuration, I can't see logs in the TACACS+ Administration Reports. I kept the configurations on the router and switch the same, so I believe that the problem resides in the ACS software.
  I tested some debug, and it seems that the router is sending the command that is being typed to ACS.
  Here is the config I?m using:
  aaa new-model
  tacacs-server host 192.168.X.X key XXXXXXXXXXX
  aaa authentication login telnet group tacacs+ enable
  aaa authentication login console enable
  aaa authentication enable default group tacacs+ enable
  aaa accounting send stop-record authentication failure
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting connection telnet start-stop group tacacs+
  line con 0
  authorization exec NO-AUTH
  login authentication console
  line vty 0 4
  authorization exec AUTH
  login authentication telnet
  aaa authorization exec AUTH group tacacs+ none
  aaa authorization config-commands
  aaa authorization exec NO-AUTH none
  aaa authorization commands 0 default group tacacs+ none
  aaa authorization commands 1 default group tacacs+ none
  aaa authorization commands 15 default group tacacs+ none

  Hi,
  This is a known issue, you need to apply patch ACS 4.1.1.23.5 to fix the issue.
  Patch for appliance is availble on
  http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des
  Patch name : ACS SE 4.1.1.23.5 accumulative patch
  Patch for acs windows is availble on
  http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des
  Patch Name : ACS 4.1.1.23.5 accumulative patch
  That should fix the issue,
  Regards,
  Jagdeep
  Note: If that answers your question, then please mark this thread as resolved, so that others can benefit from it.

• Cisco ACS 5.1 Tacacs with Juniper Srx 210

  Hi all,
  I am trying to do authentication for Juniper SRX 210 FW With Cisco ACS 5.1 Tacacs but I am unable to acheive it ..
  Can any one help me how to add Junos service in ACS 5.1..How to Intergarte Juniper SRX 210 in Cisco ACS 5.1

  Hello Pranav
  As Nicolas said, you really need to know what attributes Juniper SRX is using. It also depends on what you're looking for, for example it's very different "password authentication" from "command authorization". I answered a similar question here https://supportforums.cisco.com/thread/2111466
  You don't need to enable any new service. ACS is capable to attend any TACACS (or RADIUS) device as long as you tell ACS what are the TACACS (or RADIUS) attributes needed for that device.
  This is an example in which I have configured ACS 5.x with an attribute called "local-user-name" which JunOS router use for authentication. For that you need to go to "Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles".
  If you don't know the attributes you can capture the packets and troubleshoot from Juniper cli and from "ACS view" side. That's how I find out the "local-user-name" attribute.
  Please rate if it helps. Kind regards

• ACS Tacacs administration report Log Analyzer

  The logs in ACS are in .csv format. My system is generation huge logs due to more than 1000 devices configured in ACS. Is there any tools available to analyze the Tacacs administration logs ?
  Regards
  Hitesh Vinzoda

  Hi Hitesh,
  The only option you have is to download the .CSV files and import it into spreadsheets by using most popular spreadsheet application software. You can also use a third-party reporting tool to manage report data. For example, aaa-reports! by Extraxi supports ACS.
  To download a CSV report:
  =========================
  # click Reports and Activity.
  # Click the CSV report filename that you want to download.
  # In the right pane of the browser, click Download.
  # You can easily analyse the logs in Microsoft excel
  How to filter and analyze logs ( with Regular Expression Syntax Definitions):
  ========================================
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/LgsRpts.html#wp632961
  For downloading third party application
  http://www.extraxi.com/
  For more info, you can download the user guide:
  http://www.extraxi.com/PDFs/aaa-reports%20sales%20proposal%20-%20customer.pdf
  HTH
  Regards,
  JK

• No TACACS+ Administration Logging on ACS

  I can get a csv file created for a TACACS+ Administration log/report [configured in Interface Logging of the ACS] but that log file is is empty. Help states that aaa accounting commands start-stop TACACS+ must appear in the access server or router configuration file in order to capture this day but my ASA 5520 will only allow;
  aaa accounting command <server group> or <privilege>.
  How do I get this ASA and Windows ACS to collect TACACS+ administration?
  Note: My TACACS+ accounting does collect data on users ssh into the ASA.

  It's quite possible that you might be experiencing a know bug ( CSCsg97429 ) in ACS version 4.1.
  Get this Patch: Acs-4.1.1.23.5-SW.zip. It fixes the TACACS+ Administration log/report problem.
  You rigth in regards to the command. It is needed for your NAS to send accounting information to the ACS.
  Here's an example of the commands:
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  Hope it helps.

• Cisco ACS Server Tacacs Based on LDAP AND Source IP Possible???

  Hi All,
  I have used Cisco ACS tacacs for authentication based on Active Directory. Is it possible to use Active Directory as a criteria for authentication AND source IP?
  For example, if someone wants to log in to a certain device... they must have correct credentials AND their IP must be sourcing from the acceptable subnet range.
  Thanks!

  I see your point. This will depend if the user's IP is provided in the authentication request, if this information is provided then you can use the feature called "End Station Filter". This feature is used as a Condition in the Access Policy to deny or allow access. Below are the steps:
  1. Create a End Station Filter, here configure the user's IP
  2. Customize your Conditions under Access Policies/Authorization to use End Station Filter
  3. Define your rule with the required result

• Cisco ACS (TACACS+) - AAA failure on WLC

  Setting up TACACS+ between Cisco ACS and 4402 WLC using the below configuration guide.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml#add-authorizserv
  Authenication is failing on the WLC. Currently getting the below error message on the Cisco ACS server (Reports and activity > failed attempts)
  Message Type: Author Failed
  Author-Failure-Code: Service denied
  Author-Data: service=ciscowlc protocol=common
  Anybody have any idea to resolve this problem.
  Thanks,
  Colm

  Hi,
  The document you referred is correct.
  What version of WLC are you running?
  Check this one:
  CSCsk21007    WLC requires tacacs authentication when configuration change ccess Control
  HTH
  Regards,
  JK
  Plz rate helpful posts-

• Issue with certifcate on Cisco ACS

  We are wanting to authenticate our internal wireless users using our Cisco ACS running 5.3.  The ACS will poll our Active Directory environment for the username and password provided.  I created a CSR on the ACS and provided it to Entrust.  They provided me with a root, chain and server certificate.  I binded the server certificate to the CSR under System Administration>Local Server Certificates>Local Certificates.  I then added the chain and root certificates to the location Users and Identity Stores>Certificate Authorities.  When I try to connect on a client laptop it asks for a username and password but after entering that information I am presented with the below certificate warning.  This certificate is from Entrust and I see the root certificate in the root store on the laptop.  Any ideas what would cause this.  TAC does not seem to have any answers.  They say it is a client machine problem.

  From the problem description, it's clear that you're attempting to connect user on a wireless network via peap. From the ACS stand point, your configuration looks good. However, I'd like to know what all certificate have you installed on the client side. Do we have complete chain installed on the client that includes Root CA and intermediate (if any). Would you mind emailing me your complete certificate chain for my reference?
  Also, let me know what OS and supplicant are we running on end client?
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Configuring Cisco ACS 5.1 with Juniper Netscreen Firewall wit Radius & Tacacs+

  Hello,
  Can anybody tell me the step-by-step configuration of Cisco ACS 5.1, to configured it with Juniper Netscreen Firewall for radius & tacacs+ authentication and authorization?
  I am able to configure this with Cisco ACS 4.2 with customise VSA file but can't understand how to configure it on ACS 5.1.
  Thanks in Advance.

  Hi Eduardo,
  Can you tell me how to map ACS 4.2?
  service=junos-exec
  local-user-name=Engineering
  Into the new "shell profiles" on ACS 5.2? How do I verify these attributes are passed onto ACS 5.2? I don't have access to a sniffer or tap nor do I have writes on this box. I have to instruct our systems folks to investigate. It has been a back and forth battle.
  Also, I'd like to see where I'd map this on ACS 5.2.  Keep in mind in both cases I have a JUNOS config mapping to a login user Engineer and operations respectively.
  local-user-name=opertions
  allow-commands=((^ping *)|(^mtrace *)|(^traceroute *)|(^monitor *))
  deny-commands= ((^start *)|(^file delete *)|(^file rename *)|(^request *)|(^set cli restart-on-upgrade *)|(^set cli prompt *)|(^set chassis *)|(^set date *)|(^test *)|(^clear *)|(^op *))

• Does cisco ACS hardware run TACACS+ ?

  hi all
  I am very new to the security,
  my question is , does cisco ACS devices run TACACS+ ?
  or TACACS+ has to be installed in windows/linux ?
  thank you

  The below listed link will help you to configure tacacs authentication/authorization and also help you to integrate ACS with Active directory.
  ACS 5.x and later: Integration with Microsoft Active Directory Configuration Example
  ACS 5.x: TACACS+ Authentication and Command Authorization based on AD group membership Configuration Example
  Regards,
  Jatin Katyal
  *Do rate helpful posts*