Two standalone ACS for TACacs authentication
Dear All,
I am having a network consists of some 30 routers and I have 2 ACS 5.3 appliances.
I am planing to configure the acs (a,b) boxes in the standalone mode .
and i want to configure both the acs as the TACACS server in all my routers
with ACS A as the primary in some routers and ACS B as the primary in some routers.
and there is no configuration sync between the ACS boxes.
Does this setup will have any issue in authentication in case if any of the acs fails ....
thanks in advance ...
Selva
There will be no issue, unless the configuration is not same. My personal opinion distributed deployment is the best method if you are planning to keep more than one ACS with in a domain.
Similar Messages
-
Synchronizing DB/Config between two standalone ACS, v5.4
Hello.
I'm in process of migrating a clients' ACS from 4.2 to 5.4. With 4.2, they have it set up so that two standalone ACS servers (one in US, one in UK) will replicate database and configuration information. They are not configured as a primary/secondary setup.
For instance, any devices in the Data Center in UK will reference the UK ACS server first, US second. In the US, it is the opposite. Any configuration changes are generally made on the US side which then replicates to the UK side.
Is this situation possible in 5.4? I want to avoid users in the UK having to authenticate to the US server and vice-versa unless their local ACS is down.
Hopefully that makes sense. If it doesn't, let me know.I'm looking for a method to replicate the content of a database from one standalone ACS to another. I am not looking for a failover solution.
The difference is that I want UK people to authenticate to the UK server first, and I want US people to authenticate to the US server first.
Does that make sense, or am I just not understanding something? -
Problem setting 7606 router for TACACS+ authentication
Hello Support Community,
I have two Cisco 7606 routers which I have tried in vain to have users authenticated using TACACS+ servers. As shown below, I have two servers (1.1.1.1 and 2.2.2.2) reachable via vrf OAM which is reachable from desktops for ssh login. The true IP addresses and vrf have been altered because it's a company router.
I use the two servers to authenticate many other Cisco devices in the network they are working fine.
I can reach the servers from the vrf and the source interface in use. I can also telnet port 49 if the servers from the source interface and the vrf.
The server key is hidden but at the time of configuration, I can ascertain that it's correct.
The problem is that after confuring for TACACS authentication, the router still uses the enable password instead of TACACS. While the debug output shows 'bad password', why is the router not authenticating using TACACS? Why is it using the enable password?
Please study the outputs below and help point out what I may need to change.
PS: I have tried out many other combinations, including deprecated ones without success including the method suggested in this page;
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_vrf_tacas_svrs.html
Please help I'm stuck.
ROUTER#sh running-config | sec aaa
aaa new-model
aaa group server tacacs+ admin
server name admin
server name admin1
ip vrf forwarding OAM
ip tacacs source-interface GigabitEthernet1
aaa authentication login admin group tacacs+ local enable
aaa session-id common
ROUTER#sh running-config | sec tacacs
aaa group server tacacs+ admin
server name admin
server name admin1
ip vrf forwarding OAM
ip tacacs source-interface GigabitEthernet1
aaa authentication login admin group tacacs+ local enable
tacacs server admin
address ipv4 1.1.1.1
key 7 XXXXXXXXXXXXXXXXXXXX
tacacs server admin1
address ipv4 2.2.2.2
key 7 XXXXXXXXXXXXXXXXxxxx
line vty 0 4
login authentication admin
ROUTER#sh tacacs
Tacacs+ Server - public :
Server name: admin
Server address: 1.1.1.1
Server port: 49
Socket opens: 15
Socket closes: 15
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 0
Total Packets Recv: 0
Tacacs+ Server - public :
Server name: admin1
Server address: 2.2.2.2
Server port: 49
Socket opens: 15
Socket closes: 15
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 0
Total Packets Recv: 0
Oct 22 12:38:57.587: AAA/BIND(0000001A): Bind i/f
Oct 22 12:38:57.587: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
Oct 22 12:38:57.587: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:38:57.587: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
Oct 22 12:39:02.327: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:02.327: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
Oct 22 12:39:04.335: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
Oct 22 12:39:04.335: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:04.335: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
Oct 22 12:39:08.675: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:08.675: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
Oct 22 12:39:10.679: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
Oct 22 12:39:10.683: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:10.683: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
Oct 22 12:39:14.907: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:14.907: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
ROUTER#sh ver
Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1(3)S3, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Fri 30-Mar-12 08:34 by prod_rel_team
ROM: System Bootstrap, Version 12.2(33r)SRE, RELEASE SOFTWARE (fc1)
BOOTLDR: Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1(3)S3, RELEASE SOFTWARE (fc1)
ROUTER uptime is 7 weeks, 5 days, 16 hours, 48 minutes
Uptime for this control processor is 7 weeks, 5 days, 16 hours, 49 minutes
System returned to ROM by reload (SP by reload)
System restarted at 20:00:59 UTC Wed Aug 28 2013
System image file is "sup-bootdisk:c7600rsp72043-advipservicesk9-mz.151-3.S3.bin"
Last reload type: Normal Reload
Last reload reason: power-on
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco CISCO7606-S (M8500) processor (revision 1.1) with 3670016K/262144K bytes of memory.
Processor board ID FOX1623G61B
BASEBOARD: RSP720
CPU: MPC8548_E, Version: 2.1, (0x80390021)
CORE: E500, Version: 2.2, (0x80210022)
CPU:1200MHz, CCB:400MHz, DDR:200MHz,
L1: D-cache 32 kB enabled
I-cache 32 kB enabled
Last reset from power-on
3 Virtual Ethernet interfaces
76 Gigabit Ethernet interfaces
8 Ten Gigabit Ethernet interfaces
3964K bytes of non-volatile configuration memory.
500472K bytes of Internal ATA PCMCIA card (Sector size 512 bytes).
Configuration register is 0x2102In order to resolve this issue. Please replace the below listed command
aaa authentication login admin group tacacs+ local enable
with;
aaa authentication login default group admin local enable
You defined the server group name as method list and instead of using admin as a server-group, you used tacacs+
Note: Please ensure you have local user and enable password configured in case of tacacs server unreachable.
~BR
Jatin Katyal
**Do rate helpful posts** -
Cisco ACS for Unix authentication
My company is looking for a single sign on for all the windows and unix servers mainly for admins. I was wondering if Cisco ACS will work for this.
Basically the authentication will be all for the servers and routers ofcourse. I am thinking if I specifies windows AD in ACS config, Can I get the unix boxes to get authenticated against Radius?
Any help will be appreciated.
MannyHi,
Authentication of unix servers via ACS over radius protocol can be achiveable,check out the below link client end configuration needs to be done for radius authentication
Hope that helps out your query !!
http://www.ibm.com/developerworks/library/l-radius/
Regards
Ganesh.H -
Hello
I am looking to deploy a NAC device in our office and currently have an ACS server that handles wireless authentication.
I would like to know if the ACS is capable of authenticating users on a LAN with both 802.1x and device detection (such as MAC address and ID)?
If I can do the latter how do you set that up on an ACS?
Thanks in advance
PaulSo my answer is correct ...
ACS is an authentication server. It can authenticate devices.
NAC Profiler, that is now replaced with ISE Profiling Engine, analyzes real-time the behavior of devices to identify them. ACS will use that as a device database.
If using ISE, you only need ISE, it profiles and authenticates as well (it combines ACS+Profiler+other services).
What you seem to be uncomfortable with is the way the Profiling works, I would suggest you to read Profiler or ISE documentation to know more about it.
It identifies a device through his behavior. Then it authorizes the mac address. You are forced to trust on a mac address basis because the system is made for non-802.1x devices so you can't "talk" to the device or assign it any ID or whatever.
However, it's not a static list of mac address. The mac address is allowed only if it's online and it corresponds to an allowed type of device.
It can for example differentiate a phone, from an XBOX, from a laptop by looking at the fields of the DHCP request of the device, etc ... it can also do polling on the switch to check for CDP information etc ... -
Using ACS for Cisco Prime authentication
I'd like to use our Tacacs server running ACS to be the authentication method for user accounts in Prime, but don't even know where to start with this..
Any pointers?The configuration on the Prime Infrastructure side is minimal: define the authentication server Prime is to use and select a mode for Prime Infrastructure to use with it.
Administration > AAA > TACACS+ Servers > add tacacs server.
Administration > AAA > AAA Mode Settings > tacacs+ and enable fallback to local.
The bulk of the configuration is on the authentication server side, particularly indefining groups, services and authorization tasks. This is covered in the "Performing Administrative Tasks" chapter of the Prime Infrastructure Configuration Guide, starting with the topic "Configuring ACS 5.x"
http://www.cisco.com/en/US/docs/wireless/prime_infrastructure/1.3/configuration/guide/admin.html#wp1595935
"Configuring ACS 4.x"
http://www.cisco.com/en/US/docs/wireless/prime_infrastructure/1.3/configuration/guide/admin.html#wp1625896
https://supportforums.cisco.com/docs/DOC-17909
In case it doesn't work, please get the logs from the ACS reports and monirtoring for tacacs authentication and error message while accessing cisco prime.
Jatin Katyal
- Do rate helpful posts - -
Confgiure router to use particular interface IP add.for TACACS+ authenticat
How to confgiure router to use particular interface's IP address for all comunications with ACS server for TACACS+ authentication.
Thanks a lot...Use the command:
ip tacacs source-interface -
Tacacs authentication fails for one user account for only one switch
Hi,
I am having an scenario, where as Tacacs authentication fails for one user account for only one switch.
The same user account works well for other devices.
The AAA configs are same on every devices in the network.
Heres the show tacacs output from the switch where only one user account fails;
Socket opens: 157
Socket closes: 156
Socket aborts: 303
Socket errors: 1
Socket Timeouts: 2
Failed Connect Attempts: 0
Total Packets Sent: 1703
Total Packets Recv: 1243
Expected Replies: 0
What could be the reason ?
No errors on ACS server; same rights had been given to the user account.
Thanks to advise.
PraseyHi there,
Does the user get authenticated in the ACS logs?
reports and activity----> failed attempts
ro
reports and activity-----> passed authentications
That will help narrow it down.
Brad -
TACACS+ Authentication For Cisco NAM
Hi All,
I have an cisco ACS v5.1 and also a cisco NAM. Currently, I have configured TACACS+ on the NAM and the ACS v5.1 however when I try to access the NAM, the ACS v5.1 has an error message of "TACACS+ authentication ended with error" and I am not able to access the equipment.
For your information, I have no problem with others equipment TACACS+ authentication with the same ACS.
Please advise.
Thks and RgdsSteven
I would first suggest that you verify that your ACS has an appropriate and correct entry configured for the NAM as a client. Assuming that is correct then I would suggest that you check and verify that the NAM is originating its TACACS requests from the address that you configured for the client on the ACS and that the shared secret is the same on both devices.
If those are correct then I would suggest to look in the Failed Attempts report of ACS and see if it provides a better identification of the problem.
HTH
Rick -
Configure Nexus 7k for TACACS in Cisco ACS
Hi,
Please advise on how to configure Cisco Nexus 7k for TACACS to authenticate in Cisco ACS. Our Cisco ACS is getting users from the Active
Directory.
Please advise if the below config are acceptable:
feature tacacs+
tacacs-server key KEY
tacacs-server timeout 20
tacacs-server host 1.1.1.1 key KEY
aaa group server tacacs+ TEST
server 1.1.1.1
use-vrf management
source-interface mgmt0
tacacs-server directed-request
aaa authentication login default group TEST
aaa authentication login console none
aaa authorization commands default group TEST
aaa accounting default group TEST
aaa authentication login error-enableHi,
What OS version are u using on your servers?
Craig -
Authentication providers for TACACS+ and RADIUS
Does anyone supply WLS 8.1 authentication providers for TACACS+ and/or
RADIUS?
BenSo in the ACS network config you add 2 NASes (or should that be NASi?)
One is of type TACACS+, enter the device ip and secret. The other is RADIUS - unless you need to use some vendor specific trickery you could stick with IETF RADIUS to keep it simple. Again enter the IP and the secret.
Assuming you a have at least 1 user in say, the default group (acs group 0) you then need to do some basic setup. In ACS a single group can have both RADIUS and TACACS+ config :-)
RADIUS will pretty much default to PPP anyway, but you should still set the Service-Type to Framed and set session timeouts etc.
With T+ you tick the boxes for the services that are allowed. For SSH login you might have to define a custom service first (under interface config)
Suggest you first take time to scan through the ACS docs. -
ACS SE setup for windows authentication
Dear All,
I'm trying to install an ACS Solution Engine in My network for access control (AAA). I succeed in setting up authentication using the internal database and that works fine. Now My boss want users to be authenticated through an external database (windows AD). I tried achieving this but kept getting different errors.(like EAP-TLS or PEAP authentication failed during SSL handshake) or (Authen session timed out: Challenge not provided by client).
Please I need someone who has done this setup successfully before to give Me a step by step procedure on how I can setup ACS SE for windows authentication using My domain windows authentication.
ThanksDear All,I'm
trying to install an ACS Solution Engine in My network for access
control (AAA). I succeed in setting up authentication using the
internal database and that works fine. Now My boss want users to be
authenticated through an external database (windows AD). I tried
achieving this but kept getting different errors.(like EAP-TLS or PEAP
authentication failed during SSL handshake) or (Authen session timed
out: Challenge not provided by client).Please
I need someone who has done this setup successfully before to give Me a
step by step procedure on how I can setup ACS SE for windows
authentication using My domain windows authentication.Thanks
Hi,
Check out the belwo link on your query,Hope that help !!
https://supportforums.cisco.com/docs/DOC-5542
If helpful do rate
Ganesh.H -
How to add a switch to acs for login and ads authentication
Hi all
I want to add my switch so that it authenticates to my acs for login auth, I have done the switch end, using radius, also added the switch on the acs, how do I force the acs to use windows auth for this login? do i just go under the network config where the device is and tick the box saying use windows database for authentication, and then do a group mapping ?
cheersHi,
Easiest way is to download the table eg into an Excel table (if possible) or text table. Drop the table from the database. Build your table with the new key field. Build the database table again and fill it.
You can do it also over the database into a new table. Drop the old one. Build the enhanced one and fill it. Afterwards drop your (temporary) table.
Maybe there are other ways, but this works.
Success,
Rob -
Software to test RADIUS/TACACS authentication to ACS server
Hi experts,
Is anyone aware of a software that will test RADIUS and/or TACACS authentication to an ACS server from a PC? Same as what you can do on the Cisco VPN concentrator from the page Configuration | System | Servers | Authentication | Test Screen.
Thanks in advance!If you look in the ACS utils folder you'll see radtest and tactest.exe
These can be used to generate test packets. If you install ACS on another PC you can fire requests from that other PC too.
I think Vasco (token card vendor) had a really nice GUI based RADIUS client too.
Darran -
ACS 5.1 Authentication against AD problem
I have a pair of ACS 5.1 virtual appliances in a master/slave configuration, running build 5.1.0.44. We have it configured to authenticate TACACS against Active Directory, but have run into a problem with the account of one my colleagues. His account password recently expired and since changing it he is no longer able to authenticate on devices pointing to the master ACS server, but has no issue with devices pointing to the slave ACS server. Several other users have changed their passwords in AD and have not encountered this problem.
ACS View shows the following error in the TACACS+ authentication log: "24421 Change password against Active Directory failed since it is disabled in configuration". The account we use to connect to active directory does not have permission to send password changes, so I have disabled changing passwords in the AD identity store configuration. As a test, I enabled password changing and instead saw this error: "24407 User authentication against AD failed since user is required to change his password".
I've had him change passwords numerous times, try different SSH clients, and different PCs. I also had him lock his account out, and then try logging on and instead was presented with this error: "24415 User authentication against AD failed since user's account is locked out". So it seems that ACS is correctly querying AD but seems to be caching the fact that his account has expired.
The only difference between the two ACS servers are that they are querying different AD servers. I've gotten our AD team to reset his password, check that his account is not locked on a particular AD server, and that replication is functioning. I've also restarted the services and cold started the ACS virtual machine to no effect. I have yet to try clearing the AD configuration and re-entering it.
show logging application acs reveals the following:
ActiveDirectoryClient,19/10/2011,08:46:25:307,WARN ,3032882080,cntx=0000253027,sesn=ciscoacslc/108180474/33226,user=parrishg,[ActiveDirectoryClient::isLRPC_ConnectionError] Retryable error 6 (LRPC failed) received. Tr
ying to reconnect.,ActiveDirectoryClient.cpp:2429
ActiveDirectoryClient,19/10/2011,08:46:25:311,WARN ,3032882080,cntx=0000253027,sesn=ciscoacslc/108180474/33226,user=parrishg,[ActiveDirectoryClient::plainTextAuthenticate] PAP authentication for user: parrishg has fai
led due to error: 16:Password expired,ActiveDirectoryClient.cpp:994
ActiveDirectoryClient,19/10/2011,08:49:27:468,WARN ,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,[ActiveDirectoryClient::isLRPC_ConnectionError] Retryable error 6 (LRPC failed) received. Tr
ying to reconnect.,ActiveDirectoryClient.cpp:2429
ActiveDirectoryClient,19/10/2011,08:49:27:475,WARN ,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,[ActiveDirectoryClient::plainTextAuthenticate] PAP authentication for user: parrishg has fai
led due to error: 16:Password expired,ActiveDirectoryClient.cpp:994
ActiveDirectoryIDStore,19/10/2011,08:49:27:475,ERROR,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,ActiveDirectoryIDStore::onPlainAuthenticateAndQueryEvent - User password expired but change
password configuration is disabled - authentication failed,ActiveDirectoryIDStore.cpp:525
I am aware that I can upgrade to 5.1.0.44.6 and intend to do so (although CSCsr81297 concerns me as we make extensive use of AD for authentication), but I don't know that there is any guarantee that this will fix it.
Any ideas on what might be the cause, and how I can fix this?
Thanks!Hello,
It is complicated to explain this rule but hopelly you will understand.
I suggest you to do an identity store sequence that will point to the AD and RSA. this is like the user unknow policy in ACS 4.x
Once this is done you can create 2 authorization policies 1 based on RSA authentication and another based on AD authentication.
To give you a better clear example is there any difference between AD and RSA authentication? Do they have the same rights? Please detail what you need to configure besides AD and RSA simultanuos authentication.
Regards,
Sebastian Aguirre
Maybe you are looking for
-
Error only in PDF report generation not HTML
The same report exports fine in HTML. This only happens when exporting a PDF report: com.crystaldecisions.sdk.occa.report.lib.ReportSDKException: 26---- Error code:-2147467259 Error code name:failed The application was developed by our developer team
-
Changing a linechart background color upon a chartitem selection
hello guys, I am displaying multiple lines vertically in a linechart. User can make a rectangular selection on chartitems. I want to change the linechart background color of the selected region only. So if user selects multiple region then I will be
-
Can I connect my iPad to epson emp-x3 projector?
I have a keynote presentation on my iPad and an Epson Emp-X3 LCD projector. How do I connect the two to show the presentation?
-
Transitions between split clips don't work properly
If I split a clip in the project area, then put a transition between the two new clips, the transition doesn't work properly. It is most obvious with the Cross Dissolve, which doesn't work at all. Some of the others sort of look like they are working
-
what is the latest on financial software for Mac 10.8? how does 'you need a budget' stand up? Deb