Using Cisco TACACS for CSS11501

I currently have an 11501 series CSS and am trying to have authentication use our ACS appliance. I added the config listed below but when running a "show tacacs-server" both servers are listed as dead. I am able to ping both of the ACS servers without issue.
The following is the configuration I have added to the CSS:
virtual authentication primary tacacs
tacacs-server authorize config
tacacs-server authorize non-config
tacacs-server account non-config
tacacs-server account config
tacacs-server 10.10.75.9 49 primary frequency 10
tacacs-server key ****
ip management route 10.10.75.0 255.255.255.192 10.10.253.1
Any help would be greatly appreciated.
Thanks,
-Dennis

Lists the external user databases that CiscoSecure ACS uses to authenticate an unknown user (if the Check the following external user databases option is selected). CiscoSecure ACS attempts authentication using the selected databases one at a time in the order specified.
Users whose accounts were created in the CiscoSecure ACS database when CiscoSecure ACS successfully authenticated them using the Unknown User Policy. When CiscoSecure ACS creates a discovered user, the user account contains only the username, a Password Authentication list setting that reflects the external user database that authenticated the user, and a "Group to which the user is assigned" list setting of Mapped By External Authenticator, which enables group mapping. Using the CiscoSecure ACS HTML interface, you can further configure the user account as needed. For example, after a discovered user is created in CiscoSecure ACS, you can assign user-specific network access restrictions to the discovered user.
http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_user_guide_chapter09186a0080204cf8.html

Similar Messages

  • Using Cisco ACS for Solaris login authentication

    Hi all
    I am planning to authenticate ssh logins to Solaris 8/9 systems using PAM and radius (while radius is considered the primary solution, tacacs+ could be used, too). The radius/tacacs+ server is provided by a Cisco ACS.
    Can anybody out there confirm that the combination "Solaris & PAM & radius/tacacs+ & Cisco ACS" is correctly doing this authentication stuff? Is there anything to specially consider?
    Thanks, David

    Hard to comment with any certainty but provided the client implementation of RADIUS is sound AND the authentication protocol is one that ACS supports, eg PAP, CHAP, MSCHAP, LEAP, EAP (PEAP/FAST/TLS/GTC/MSCHAP) then should be fine.

  • Out of interest... What do you use Cisco VPN for?

    Is it more secure than Activesync for example?
    Thanks in advance.
    (ps. We run VPN's. Just not sure what the value is for an iPhone)

    Our employees use VPN to access internal company web sites and our financial system from their iPhone. We also have network adminstrators performing support functions via remote desktop, VNC and via other connections.
    ActiveSync, when used with the SSL function enabled, is secure enough for us and we allow access outward facing to the Internet without the need for VPN (we also allow access while connected via VPN).

  • Use Cisco CUCM for outbound "call me at" feature on Lync meetings

    I'm trying to find a step by step to enable users (non enterprise voice users) to use the dial me at feature in Lync conference meetings. I only want the user to have the ability to tell Lync to dial a number to place that number into the conference call,
    the feature is easy to enable but i can't get the routing right between CUCM and Lync. I've looked all around the net but I can't seem to find anything that matches what i'm trying to do, other docs cover enterprise voice and that's out of my scope. Any assistance
    here would be nice. Thanks

    Hi,
    In Lync Server 2010, it is not supported with “call me at” function for non-Enterprise Voice users.
    However, Lync Server 2013 now allows participants that are not Enterprise Voice enabled to initiate dial-out calls from a meeting conference, called “Dial-out Conferencing for non-Enterprise Voice users”.
    This can be configured by setting the Conferencing policy to allow this feature (Set-CSConferencingPolicy –AllowNonEnterpriseVoiceUsersToDialOut:$true). After enabling this, then assign a voice policy to the users who need the function.
    Best Regards,
    Eason Huang
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
    Eason Huang
    TechNet Community Support

  • How-to use Cisco DCNM for SAN to manage storage fabric

    I recently purchased DCNM for SAN (and LAN), have installed and licensed it. The software is up and running, and I have installed the necessary features & licenses to each of my Nexus 5596UP devices. Unfortunately, I'm not able to make any changes to the fabric from the DCNM SAN client. Am I missing some steps here? Do I need to have fiber connections in place from end points, and the SAN, in order to see/manage the fabric?
    Thanks in advance!

    Did you do a fabric discovery ? have you setup proper accounts on the N5k ?
    see
    http://www.cisco.com/c/en/us/td/docs/switches/datacenter/mds9000/sw/5_2/configuration/guides/fund/DCNM-SAN-LAN_5_2/DCNM_Fundamentals/fmaaa.html

  • Call/video not working between Cisco jabber for Windows and VCS control C40s

    Hello,
    I've been struggling with no luck how to make a call using Cisco Jabber for Windows 9.6.0 registered to CM 8.6.2 with intercluster ICT to another CM 8.6.2 where we have a VCS Control 7.0.2 via GK H225, and all C40s are registered as H.323.
    The VCS has interworking between H323 and SIP, however not sure if there is any problem with that. Assuming it is ok, not sure either if I'm facing any interoperability issue because in my remote site I have C40 (H323 registered at VCS and SIP listening mode) and cisco jabber for windows which is SIP based.
    If is not possible, would I be able to change my C40 from H323 to SIP at VCS, or have both H323/SIP registered at VCS? If so, will I need to change as well instead of GK I'll have to establish a SIP Trunk between the CM and VCS?
    Another thing I do not believe either I would be able to have one VCS connected with two clusters, right?
    I'm just trying to find a solution in case my current topology is not compatible, but feel free if you have any better idea to make it work.
    Anyway here is what is happening:
    When I make a call from my cisco jabber windows to C40 using alias number. The call is being redirected just fine to the C40 and it rings, however when someoene or the auto answer picks it up, the call dropped right away.
    However, if I enabled the MTP in my CSF device, the call gets longer before dropping. I was even able to see my jabber " start video" turns green, before was grayed out all the time and the call dropped faster. I hear a fast busy tone. 
    I'm able to provide SDI traces, logs, diagnostic sip/h323 calls from VCS in order to know for sure if this is an incompatible issue or something I can workaround.
    Let me know if someone of you are interested in read these logs or could point me on the right direction.
    Thanks!

    Ok,
    I have looked at both logs. I have to mentinon though that you didnt
    provide the log that shows the h323 setup between cucm and the VCS. This
    is  most likely because the call originated from a different cucm than
    the ones you provided the logs from.
    The call would have orginated from the first cucm in the cucm group of
    this trunk: Name=RL_TRUNK_VIDEO
    The cucm ip will be : 10.252.53.10.
    This is the VCS log that confirms where the h323 request originated
    from:
    pr 10 22:50:29 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:29,187"
    Module="network.h323" Level="DEBUG":  Src-ip="10.252.53.10"  Src-
    port="54000"
     Received RAS PDU:
    Having said that here is my analysis of the logs that you sent..
    Jabber sent an INVITE to CUCM and advertised all the codecs (audio and
    video it can support)..
    Observer that Jabber says it doesnt support G729 anexB
    21:55:16.576 |//SIP/SIPTcp/wait_SdlReadRsp: Incoming SIP TCP message
    from 10.223.20.73 on port 54677 index 90661 with 2220 bytes:
    [862370,NET]
    INVITE sip:[email protected];user=phone SIP/2.0
    Via: SIP/2.0/TCP 10.223.20.73:54677;branch=z9hG4bK000029d3
    From: "4122107" <sip:[email protected]>;tag=00059a3c78000011000070b0
    -00000e65
    To: <sip:[email protected]>
    Call-ID: [email protected]
    Max-Forwards: 70
    Date: Fri, 11 Apr 2014 01:55:16 GMT
    CSeq: 101 INVITE
    User-Agent: Cisco-CSF/9.4.1
    m=audio 19252 RTP/AVP 0 8 18 105 104 101
    c=IN IP4 10.223.20.73
    a=rtpmap:0 PCMU/8000
    a=rtpmap:8 PCMA/8000
    a=rtpmap:18 G729/8000
    a=fmtp:18 annexb=no
    a=rtpmap:105 G7221/16000
    a=fmtp:105 bitrate=24000
    a=rtpmap:104 G7221/16000
    a=fmtp:104 bitrate=32000
    a=rtpmap:101 telephone-event/8000
    a=fmtp:101 0-15
    a=sendrecv
    m=video 28878 RTP/AVP 97
    c=IN IP4 10.223.20.73
    ++++Now lets observer the capabilites exchange during h245 negotiation
    between cucm and VCS++++
    Here CUCM advertises its caps to VCS (afterreceiving caps from VCS)
    Note that G729A, G729AB, G729 is all advertised..
    Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,017"
    Module="network.h323" Level="DEBUG":  Src-ip="10.252.53.10"  Src-
    port="45660"
     Received H.245 PDU:
     value MultimediaSystemControlMessage
    ::= request : terminalCapabilitySet
     capabilityTableEntryNumber 2,
           capability receiveAudioCapability :
    g729wAnnexB : 6
           capabilityTableEntryNumber 3,
       capability receiveAudioCapability : g729AnnexAwAnnexB : 6
           capabilityTableEntryNumber 4,
           capability
    receiveAudioCapability : g729 : 6
    capabilityTableEntryNumber 5,
           capability receiveAudioCapability :
    g729AnnexA : 6
    ++++++
    After doing MSD (master slave determination, we move to the OLC phas e..
    Here we see that the far end..c40 wants to use G729AB for media++++
    Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,783"
    Module="network.h323" Level="DEBUG":  Src-ip="10.224.114.11"  Src-
    port="11163"
     Received H.245 PDU:
     value MultimediaSystemControlMessage
    ::= request : openLogicalChannel :
       forwardLogicalChannelNumber 1,
    forwardLogicalChannelParameters
         dataType audioData :
    g729AnnexAwAnnexB : 20,
         multiplexParameters
    h2250LogicalChannelParameters :
    +++Next VCS sends G729AB as the codec to use to CUCM+++
    Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,784"
    Module="network.h323" Level="DEBUG":  Dst-ip="10.252.53.10"  Dst-
    port="45660"
     Sending H.245 PDU:
     value MultimediaSystemControlMessage
    ::= request : openLogicalChannel :
       forwardLogicalChannelNumber 1,
    forwardLogicalChannelParameters
         dataType audioData :
    g729AnnexAwAnnexB : 20,
         multiplexParameters
    h2250LogicalChannelParameters :
    ++++The next thing we get is an OLC reject from CUCM and this is where
    th call drops++
    Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,790"
    Module="network.h323" Level="DEBUG":  Src-ip="10.252.53.10"  Src-
    port="45660"
     Received H.245 PDU:
     value MultimediaSystemControlMessage
    ::= response : openLogicalChannelReject :
    forwardLogicalChannelNumber 1,
       cause dataTypeNotSupported : NULL
    Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,790"
    Module="network.h323" Level="INFO":  Dst-ip="10.224.114.11"  Dst-
    port="11163"
      Detail="Sending H.245 OpenLogicalChannelRejResponse
    +++We then receive a call release from cucm with cause code of 47:
    resource unavailable++++
    Apr 10 22:50:32 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:32,365"
    Module="network.h323" Level="DEBUG":  Src-ip="10.252.53.10"  Src-
    port="50913"
     Received H.225 PDU:
     Q931
       Message Type: Release
    Complete
       Call reference flag: Message sent from originating side
    Call reference value: 0x7b
       Info Element : Cause
         Location: Usr
       Cause Value: Resource unavailable
       Info Element : User User
       Length = 22
    Suggestions:
    Change the region setting between the ICT trunk to VCS and Jabber to use
    G711 and test again.

  • How can ftp service on non-standard port be load balanced using Cisco ACE.

    How can ftp service on non-standard port be load balanced using Cisco ACE.For example ftp service required on tcp 2000 port

    Hi Samarjit,
    you can do this by specifying the port number in the class map that you create . Please find the below mentioend config guide where you can specify the tcp/udp port , range or ports or even the wild card to match the port.
    http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/mapolcy.html#wp1318826
    Regards
    Abijith

  • Configuration of Cisco 2911 for Asterisk

    Hi all
    I use Cisco 2911 for Asterisk phone system communicate with external.
    However, sometime I can make call in and out. Sometime, just call in or out. Sometime, cannot make any call.
    I think it is the NAT, PAT and ACL in Cisco 2911 problem.  This Cisco is also a gateway to internet for users.
    Please any advice
    Thanks a lot
    Here is the configuration:
    Router#show run
    Building configuration...
    Current configuration : 1981 bytes
    ! Last configuration change at 20:06:06 UTC Thu Nov 14 2013
    ! NVRAM config last updated at 15:04:59 UTC Tue Nov 5 2013
    ! NVRAM config last updated at 15:04:59 UTC Tue Nov 5 2013
    version 15.1
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname Router
    boot-start-marker
    boot-end-marker
    enable secret 5 xxxxx
    no aaa new-model
    memory-size iomem 20
    no ipv6 cef
    ip source-route
    ip cef
    multilink bundle-name authenticated
    crypto pki token default removal timeout 0
    license udi pid CISCO2911/K9 sn FTX1603AH9C
    interface Embedded-Service-Engine0/0
    no ip address
    interface GigabitEthernet0/0
    description internal-LAN
    ip address 172.x.x.x 255.255.0.0
    ip nat inside
    ip virtual-reassembly in
    duplex auto
    speed auto
    interface GigabitEthernet0/1
    no ip address
    duplex auto
    speed auto
    interface GigabitEthernet0/1.1
    encapsulation dot1Q 11
    ip address 172.16.x.x 255.255.240.0
    interface GigabitEthernet0/2
    description internet
    ip address 50.240.x.x 255.255.255.240
    ip nat outside
    ip virtual-reassembly in
    duplex auto
    speed auto
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    ip nat inside source list 100 interface GigabitEthernet0/2 overload
    ip route profile
    ip route 0.0.0.0 0.0.0.0 50.240.x.x
    ip route 0.0.0.0 0.0.0.0 172.10.0.30 name ROUTE-VPN-REMOTE
    ip route 172.16.240.0 255.255.254.0 172.10.x.x
    access-list 100 permit ip 172.10.0.0 0.0.255.255 any
    access-list 100 permit ip 172.16.240.0 0.0.0.255 any
    access-list 100 permit udp any any range 5004 5090
    access-list 100 permit udp any any range 10000 20000
    control-plane
    line con 0
    line aux 0
    line 2
    no activation-character
    no exec
    transport preferred none
    transport input all
    transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
    stopbits 1
    line vty 0 4
    login
    transport input all
    scheduler allocate 20000 1000
    end

    There are some VSP where they do the NAT.  If your VSP (like mine) do the NAT, then you need to globally disable NAT in your Asterisk.
    My VSP also recommends I disable ALG on my router.
    So you need to ask you VSP.

  • Privilege mode authentication using Tacacs for Cisco Routers

    I am trying to set up a test environment where I need to be able to be asked for both a username and password while entering enable mode from exec mode on a cisco IOS router. I was told the only way to do that is through Tacacs. But I've not seen any such configuration options on Tacacs in order to set it up right. Has someone ever did a setup like this before. I would appreciate any help on this. Thanks. 

    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    service compress-config
    hostname 2621-3
    boot-start-marker
    boot system flash c2600-i-mz.123-26.bin
    boot-end-marker
    logging buffered 5001 debugging
    no logging console
    no logging monitor
    enable password cisco
    memory-size iomem 10
    clock timezone CST -7
    clock summer-time CST recurring
    aaa new-model
    aaa authentication login default local
    aaa authentication enable default group tacacs+
    aaa authorization exec default group tacacs+ local
    aaa session-id common
    ip subnet-zero
    ip cef
    no ip domain lookup
    ip domain name int.voyence.com
    ip name-server 192.168.21.5
    !key chain jetef
    key 10
      key-string c1sco
    modemcap entry ZOOM
    modemcap entry ZOOM
    username jeff password 0 jeff
    tacacs-server host 192.168.21.230 key cisco
    tacacs-server host 10.6.230.32
    tacacs-server directed-request
    tacacs-server key dakey
    line con 0
    exec-timeout 15 0
    logging synchronous
    speed 115200
    line aux 0
    exec-timeout 15 0
    password 7 104D000A0618
    logging synchronous
    modem InOut
    modem autoconfigure discovery
    terminal-type monitor
    transport input all
    stopbits 1
    flowcontrol hardware
    line vty 0 4
    exec-timeout 15 0
    password cisco
    private
    logging synchronous

  • Cisco tacacs 5.4 for centos machines

    Hello Everyone,
    I am a newbie.
    I have cisco TACACS 5.4 server installed.
    I have few centos machines on my network and I want to use TACACS server to authenticate credentials for centos machines.
    There are two types of users on my machines
    1) admin
    2) operator
    Can you please guide me to the tutorial which can help me with authenticating credentials for non cisco products?
    Thanks

    Hello Sachin,
    As you required a tutorial for authenticating in ACS 5.4, please go through the following link:
    http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/user/guide/acsuserguide/admin_config.html

  • Aaa authentication using tacacs+ for LAP

    WIth Autonomous AP, you can configure aaa authtentication using Tacacs+.
    In lightweight AP, do u have similar function where u authenticate using tacacs+ when u telnet/ssh into the LAP after it is registered to the WLC?
    Rgds
    Eng Wee

    There really isn't anything you can do on the LAP through telnet/ssh.  You can enable TACACS for access to the controller.
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml

  • Tacacs-server key working in some Cisco switches for AAA, but not in other switches???

    Good day,
    Has anyone experienced this before?  I am using Cisco ACS 5.2.  I have a very simple word (no, not cisco ) for my tacacs-server key.  I've used the same key within the ACS and on two other Cisco switches, and AAA is working fine between the two switches; however, in setting up the key via the ACS and on a third Cisco switch and using PuTTY, I'm getting the error of "Access Denied.  Using keyboard-interactive authentication."
    I've re-entered the simple tacacs key multiple times within the ACS and on the switch making sure to not fat finger or misspell it.
    I don't think there is a problem with the AAA setup I have within the switches as all of the AAA configs are the same on every switch we have.
    Any other possible ideas anyone can suggest? 
    Cliffs:
    -tacacs-server key is a  simple key and is the same for every switch and within ACS
    -AAA config is the same on every switch, so I do not believe it to be a AAA config issue
    -Running config on switch that is not working is pretty much the same as the other two working switches
    Any advice is greatly appreciated.
    Thanks,
    Y

    Hi, and thank you for your reply back; however, when I got into the Authentication logs, I see nothing, like it's not even logging the failed attempts.

  • Use Tacacs+ for Admin auth & Radius for user Auth?

    Can I setup my Aironet 1200 to use TACACS+ for authentication back to the cisco ACS server and RADIUS back to same server for user authentication?
    If I setup a server in Server Manager under Radius, then add that same server as a TACACS+ server, it deletes the RADIUS server, so I assume no.

    dont know about 1200s but you can do this on 1130AGs. Create a aaa group for authentication via radius, and one for tacacs+ then use aaa groups to point console/vty to the tacacs+ aaa group, and EAP authentication to the radius group.
    eg:
    aaa group server radius rad-group
    server x.x.x.x auth-port xxxx acct-port xxxx
    aaa group server tacacs+ admin-access
    server x.x.x.x
    aaa authentication login eap-method group rad-group
    aaa authentication login auth-admin-access group admin-access local
    aaa authorization exec default group admin-access local
    now under the ssid part of the config have:
    dot11 ssid yyyyyy
    authentication open (or whatever method you use) eap eap-method
    under console/vty etc:
    login authentication auth-admin-access
    you need some more stuff like radius and tacacs server keys, but the above should get you started. On 1130AGs dont use aaa auth for http(s), looks like it overloads the aaa server at the moment - see field notices - probably doesnt apply to 1200s.

  • Configuring Cisco Router for use with Syslog Server

    Configuring Cisco Router for use with Syslog Server:
    Does anyone know of a good doc for this?
    -Ashley

    Start with that one: http://security-planet.de/wp-content/uploads/2008/12/logging-ios.pdf
    And if you need more informations, just ask what you want to achieve.
    Don't stop after you've improved your network! Improve the world by lending money to the working poor:
    http://www.kiva.org/invitedby/karsteni

  • How to Use Cisco 3660 or 3745 router for FAx

    I want to use Cisco 3660 Router or 3745 Router for Receiving FAX on email. I have NM-2CE1T1-PRI which supports E1 R2 signalling on 3660 and 3745 both. What are the additional hardware requires? Kindly Help.

    Hi,
    You could use T.37 Store and forward fax which has the feature called Onramp faxing.
    On-ramp faxing, in which a voice gateway that handles incoming calls from a standard fax machine or the PSTN converts a traditional Group 3 fax to an e-mail message with a Tagged Image File Format (TIFF) attachment. The fax e-mail message and attachment are handled by an e-mail server while traversing the packet network and can be stored for later delivery or delivered immediately to a PC or to an off-ramp gateway. Below URL is for detaield config.
    http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide_chapter09186a00800b5dcf.html
    You would not require any extra hardware for the same.
    Thanks
    GS

Maybe you are looking for

  • Invoice for unknow material

    Hi Gurus We have a scenrio like while creating purhcase requisition , purchase order and GR material is unknown . After making GR using some material code, material is immediately converted to common material code and is consumed . The invoice will d

  • Can I get Bi lingual interface having 2 languages on my iPhone

    I use language preferences I wonder if I can get 2 languages side by side on the user interface I have a serious question for my research. If you had Arabic and another language side by side on computer user interface Edit menu example:         Eng ا

  • How do I make the audio files on my site download?

    Hi In my site there are links to some audio files. When click the links in chrome or firefox, the audio files start playing straight away. In opera the files download. Internet explorer opens the files in windows media player. How can I make it so th

  • The Best Tool For Multiple Animated Objects

    Hi, I am expirimenting with Flash Web Sites, and I would like suggestions as to a starting point for my project, and I am assuming a Flash website is where I would start. Basically, If I were to open up a web page, I would like to see multiple animat

  • SAP mibs and Systems Insight Manager (SIM)

    I'm trying to get our CCMS to send SNMP traps to our SIM (Systems Insight Manager) server. The SAP side of the setup is pretty straight forward. The SIM side, however, is not so clean. Hopefully someone has had experience with this, and can either po