• RELEVANCY SCORE 4.45

    DB:4.45:Cisco Prime Infrastructure 1.3 - Creating Custom Tacacs+ Attributes / Shell Profile For Acs 5.3 7p






    Cisco Prime Infrastructure 1.3 - Creating custom TACACS+ Attributes / Shell Profile for ACS 5.3

    As titled, currently under Admistration Users, Roles AAA User Groups Export Task List under Cisco PI 1.3

    All the attributes is "=" which is mandatory

    Anyway i can make this optional?

    Reason being is because i want to use the same TACACS Username for Cisco PI 1.3, IOS and NX-OS devices. NX-OS devices requires shell profiles to be optional.

    Thanks.

    DB:4.45:Cisco Prime Infrastructure 1.3 - Creating Custom Tacacs+ Attributes / Shell Profile For Acs 5.3 7p


    Robert-

    If you create a separate service rule, you can have it fork TACACS authentication requests from that specific IP to a different Service identity and authorization process, where you can tell it to select a specific shell profile.  Then all you have to do is create a separate shell profile for managing Prime and have that one selected.  We do this with our UCS dvices, regular router/switch CLI logins, etc.

    So for example:

    UCS: TACACS request -- if match service selection rule "from UCS devices", go to UCS admin access policy --  if match ucs admin identiy reqirements, give UCS admin shell profile

    PI: TACACS request -- if match service selection rule "from PI devices", go to PI admin access policy --  if match PI admin  identiy reqirements (which are same as UCS), give PI admin shell profile

    Default: TACACS request -- if match tacacs protocol from our IP range, go to default device admin policy -- if match defaul identy requirements, give default admin shell profile

  • RELEVANCY SCORE 4.00

    DB:4.00:Cisco Prime Infrastructure Tacacs+ With Radiator 9p






    I'm trying to set up tacacs+ to our Cisco Prime Infrastructure 1.2. Currently we use ACS for this, but we're moving to radiator.

    It logs you in, but then says 'you don't have access to overview' and basically you get no access at all.

    I have a feeling it is something to do with attributes that you cut and paste in to radiator (we did the same in to ACS and that had no problem).

    Has anyone else done this before or had any experience?

    DB:4.00:Cisco Prime Infrastructure Tacacs+ With Radiator 9p


    Hi Scott

    Yeah that's what I did too. Just using ACS as a reference as I know that works.

    Funny thing....Just gone back in to PI and went to the custom attributes and they are both blank other than the first line that lists the domain! Weird. Going to try importing them back in again.

  • RELEVANCY SCORE 3.73

    DB:3.73:Vsa To Tacacs+ jk






    Hi,

    I am new to TACACS+ server installation. I would like to know how to add vendor specific attributes to TACACS+ server. Is there any option to add Vendor dpecific attrbiutes to TACACS+ as it is in RADIUS server. If it is there, please let me know the steps to add the same.

    Thanks in advance,

    Balajee

    DB:3.73:Vsa To Tacacs+ jk


    Hello,

    AFAIK, VSA are specific to RADIUS.

    Regards,

    James

  • RELEVANCY SCORE 3.55

    DB:3.55:Prime 2.0 Partial Collection Failure mc



    Hi,

    I have set up the following in a lab:

    Prime Infrastructure 2.0 (2.0.0.0.294)

    Cisco Secure ACS 5.4.0.46.0a

    Windows 2003 Domain Controller för AD Authentication

    Goal: Admin access to network devices requires Authentication via TACACS+ to ACS (- Active Directory). Network devices need to be managed by Prime. SSH access to Network Devices via putty and authentication against ACS/AD works just fine.

    Problem: During device discovery in Prime, I get a "Partial Collection Failure" with possible cause "Could not connect to device via CLI (SSH/telnet). Check device credentials and SSH/telnet reachability". The device gets inserted into the device work center with blank SSH credentials If SSH redentials are configured manually, the device synch is successful. So basically the discovered devices need to be manually configured with SSH credentials in the device work center in order for the synch to work, which is a pain in a large environment.

    Troubleshooting done:

    - I have double-checked the credentials, and everything seems fine.

    - Same result with local ACS user.

    - Installed the latest patch pi_update_2.0-3.zip

    - tacacs debug on network devices shows PASS

    Network Device TACACS+ config:

    aaa new-model

    !

    !

    aaa authentication login default local

    aaa authentication login LOGINLIST group tacacs+ line

    aaa authentication enable default group tacacs+ enable

    aaa accounting exec default start-stop group tacacs+

    aaa accounting commands 1 default start-stop group tacacs+

    aaa accounting commands 7 default start-stop group tacacs+

    aaa accounting commands 15 default start-stop group tacacs+

    aaa accounting system default start-stop group tacacs+

    !

    !

    aaa session-id common

    !

    tacacs-server host x.x.x.x

    tacacs-server directed-request

    tacacs-server key ************

    !

    line vty 0 4

    password 7 ************

    logging synchronous

    login authentication LOGINLIST

    length 20

    width 200

    transport input ssh

    DB:3.55:Prime 2.0 Partial Collection Failure mc


    Hi,

    I have set up the following in a lab:

    Prime Infrastructure 2.0 (2.0.0.0.294)

    Cisco Secure ACS 5.4.0.46.0a

    Windows 2003 Domain Controller för AD Authentication

    Goal: Admin access to network devices requires Authentication via TACACS+ to ACS (- Active Directory). Network devices need to be managed by Prime. SSH access to Network Devices via putty and authentication against ACS/AD works just fine.

    Problem: During device discovery in Prime, I get a "Partial Collection Failure" with possible cause "Could not connect to device via CLI (SSH/telnet). Check device credentials and SSH/telnet reachability". The device gets inserted into the device work center with blank SSH credentials If SSH redentials are configured manually, the device synch is successful. So basically the discovered devices need to be manually configured with SSH credentials in the device work center in order for the synch to work, which is a pain in a large environment.

    Troubleshooting done:

    - I have double-checked the credentials, and everything seems fine.

    - Same result with local ACS user.

    - Installed the latest patch pi_update_2.0-3.zip

    - tacacs debug on network devices shows PASS

    Network Device TACACS+ config:

    aaa new-model

    !

    !

    aaa authentication login default local

    aaa authentication login LOGINLIST group tacacs+ line

    aaa authentication enable default group tacacs+ enable

    aaa accounting exec default start-stop group tacacs+

    aaa accounting commands 1 default start-stop group tacacs+

    aaa accounting commands 7 default start-stop group tacacs+

    aaa accounting commands 15 default start-stop group tacacs+

    aaa accounting system default start-stop group tacacs+

    !

    !

    aaa session-id common

    !

    tacacs-server host x.x.x.x

    tacacs-server directed-request

    tacacs-server key ************

    !

    line vty 0 4

    password 7 ************

    logging synchronous

    login authentication LOGINLIST

    length 20

    width 200

    transport input ssh

  • RELEVANCY SCORE 3.49

    DB:3.49:Strange Problem With Cut-Through Proxy 9j



    hi

    i have configured cut- through proxy on the router with acs.i am facing a strange problem .

    my routers's ethernet 3/0 interface ip add is 10.1.1.1/24 and the acs server is 10.1.1.2/24 and the host ip is 10.1.1.3/24

    my routers' e2/0 interface is connected a server running a website .

    int e2/0

    no shutdown

    ip add 20.1.1.1/24

    exit

    the webserver is running on 20.1.1.2

    my router's config

    aaa new-model

    aaa authentication login default group tacacs+

    aaa authorization auth-proxy default group tacacs+

    aaa authorization exec default group tacacs+

    tacacs-server host 10.1.1.2

    tacacs-server key cisco

    ip http server

    ip http authentication aaa

    ip access-list 101 permit tcp host 10.1.1.2 eq tacacs host 10.1.1.1

    ip auth-proxy name auth http

    int e3/0

    no shutdown

    ip add 10.1.1.1/24

    ip access-group 101 in

    ip auth-proxy auth

    exit

    on the acs server in the tacacs+ ios

    i have selected auth-proxy in the services for users and groups

    i have created a user john with privilege level 15

    have selected auth-proxy and custom attributes

    proxyacl#1=permit tcp any any priv-lvl=15

    i get the auth-proxy login page when the host on 10.1.1.3 is trying to access 20.1.1.2 web site .

    after putting the login credentials i get authentication failed

    i tried the debug. i see the router is sending the authentication login and password and getting the status from the acs as pass. i also see the auth-proxy triggered. in there i see

    AUTH-PROXY PROTOCOL NOT CONFIGURED.

    could someone pls help me what could be the problem. i am have tried many times to get this work. but not fortunate enough.

    am i missing on any commands on the router or on the acs. i tried doing as the example mentioned in the student guide but still failed. pls help. waiting for some reply.

    sebastan

    DB:3.49:Strange Problem With Cut-Through Proxy 9j


    Check out the following link...

    http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b5e.html

  • RELEVANCY SCORE 3.42

    DB:3.42:Css And Tacacs 7c



    Does Webns support TACACS single-connection mode by default?

    DB:3.42:Css And Tacacs 7c


    Is it compatible with single-connection option on Cisco ACS server? I've noticed error messages on ACS server indicating Syn Flood attack attempts from CSS boxes detected by CSAgent. What's the recommended configuration on ACS server for CSS?

    Thanks

  • RELEVANCY SCORE 3.38

    DB:3.38:Prime Infra, Acs5.4 And Radisus/Tacacs Behaviour 3a



    Hi,

    I noticed a stranged behaviour while working on migrating to PI1.2. I use ACS5.4(virtual appliance) as my authentication server, TACACS as authentication protocol.

    Except Wireless controllers and Nexus 5K switches, all the AAA clients were being managed with warning. i saw the log on ACS server and noticed lots of authentication failure and this is not because credential was not right. I sniffed the traffic and noticed lots of fragmentations and re-transmissions and also restart of TCP sessions. i changed the authentication protocol to RADIUS for sample devices (5 different kinds of switches). The sample devices are now being managed without any problem (no warnings). i couldn't find rational explanation as to what is happening. Any idea that shades light on this will be appereciated.

    Thanks,

    Kerim

    DB:3.38:Prime Infra, Acs5.4 And Radisus/Tacacs Behaviour 3a


    Hi,

    I noticed a stranged behaviour while working on migrating to PI1.2. I use ACS5.4(virtual appliance) as my authentication server, TACACS as authentication protocol.

    Except Wireless controllers and Nexus 5K switches, all the AAA clients were being managed with warning. i saw the log on ACS server and noticed lots of authentication failure and this is not because credential was not right. I sniffed the traffic and noticed lots of fragmentations and re-transmissions and also restart of TCP sessions. i changed the authentication protocol to RADIUS for sample devices (5 different kinds of switches). The sample devices are now being managed without any problem (no warnings). i couldn't find rational explanation as to what is happening. Any idea that shades light on this will be appereciated.

    Thanks,

    Kerim

  • RELEVANCY SCORE 3.38

    DB:3.38:Acs 5.2 - Adding Custom Attributes For Juniper Netscreen Tacacs+ Authentication p9



    Hi,

    I am trying add custom attributes for Juniper Netscreen TACACS+ authentication to a v5.2 ACS. The advice is to add it to the group as follows:

    ervice = netscreen {
    vsys = root
    privilege = read-write
    }
    I know how to add this to a version v4.x ACS

    However, I do not know how to apply this to the custom attribiutes to a v5.x ACS

    Do I add the vsys and privilege attribute seperately or together? What should be the attribute name? netscreen? Should it be mandatory?

    Any advice please

    DB:3.38:Acs 5.2 - Adding Custom Attributes For Juniper Netscreen Tacacs+ Authentication p9


    Thanks Justin,

    I was hoping to use just one shell profile for both device groups. We have it working with seperate profiles, but would be less overhead with one!

    I havn't tried NXOS yet, but I imagine it will be a similar story.

    Craig

  • RELEVANCY SCORE 3.34

    DB:3.34:Calls Accounting And Gatekeeper 9k



    Hello!

    Can I register the "called number" DNIS when I use gatekeeper accounting and Tacacs+. Tacacs receives

    a lot of h323-accounting information but nothing about destination address?

    !

    aaa accounting connection h323 start-stop group tacacs+

    !

    gw-accounting aaa

    acct-template callhistory-detail

    !

    gatekeeper

    accounting vsa

    !

    Following list of the h323 attributes

    has been received from the gatekeeper:

    h323-gw-id

    h323-conf-id

    h323-call-origin

    h323-call-type

    h323-remote-address

    h323-disconnect-cause

    Thank you.

    Best regards.

    DB:3.34:Calls Accounting And Gatekeeper 9k


    Hi Andrew,

    Though I have never used Tacas+ as billing server for VoIP, I guess the CDR records should be same for Radius and Tacacs. The CDR list is very exhaustive in nature and SHOULD contain DNIS by default. There is no special configuration required for sending DNIS in CDR.

    Please refer to following documents for CDR reference. It is a good idea to use gateways for obtaining CDRs, since they provide far more fields of information compared to gatekeepers.

    http://www.cisco.com/warp/public/cc/so/cuso/sp/sms/acct/caaaf_cg.htm

    http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_programming_reference_guide09186a00800b5e17.html#xtocid1350

    thanks and regards,

    Amit.

  • RELEVANCY SCORE 3.20

    DB:3.20:Prime Infrastraucture 2.0 Integration With Acs As A Tacacs+ Server d3



    Hi.

    i am having an implementation for Prime Infrastructure 2.0 and we are going to use our ACS as a TACACS+ server for PI user authentication. my problem is the configuration that must me done on the ACS in-order to complete this integration, and when i searched i have found that i must do these steps:
    Creating Network Devices and AAA ClientsAdding GroupsAdding UsersCreating Policy Elements or Authorization Profiles for TACACS+Creating Service Selection Rules for TACACS+Configuring Access Services for TACACS+
    half of these steps i do not understand why we do or how to do it either so can any one explain this and show me how to do it or direct me to an article that do so.

     

    the configuration on prime is done and i do not have any problems for it the ACS is the problem.

    we are using ACS 5.3

    thanks a lot and appreciate you efforts.

    DB:3.20:Prime Infrastraucture 2.0 Integration With Acs As A Tacacs+ Server d3


    The configuration on the Prime Infrastructure side is minimal:  define the authentication server Prime is to use and select a mode for Prime Infrastructure to use with it.

     

    Administration AAA TACACS+ Servers add tacacs server.

    Administration AAA AAA Mode Settings tacacs+ and enable fallback to local.

     

    The bulk of the configuration is on the authentication server side, particularly indefining groups, services and authorization tasks.  This is covered in the "Performing Administrative Tasks" chapter of the Prime Infrastructure Configuration Guide, starting with the topic "Configuring ACS 5.x"

    http://www.cisco.com/en/US/docs/wireless/prime_infrastructure/1.3/configuration/guide/admin.html#wp1595935

     

    "Configuring ACS 4.x"

    http://www.cisco.com/en/US/docs/wireless/prime_infrastructure/1.3/configuration/guide/admin.html#wp1625896

     

    https://supportforums.cisco.com/docs/DOC-17909

     

    In case it doesn't work, please get the logs from the ACS reports and monirtoring for tacacs authentication and error message while accessing cisco prime.

  • RELEVANCY SCORE 3.19

    DB:3.19:Cisco Prime Radius Users kj



    I have a Cisco Prime server (version 2.0) and an ACS server (5.6)

    I am using the ACS server to authenticate my users, via Tacacs

    I have some of my users being authenticated as Lobby Ambassadors

    I have used the bulk import to create a shell profile and this works without a problem

     

    What I would like to do is set the preferences for these Lobby Ambassador users when they log in - as below

    Limiting what they can change

     

    I do not believe that the lobby ambassador group can be modified, so I thought I'd create my own profile

    I created a user defined 1 and tried to create a similar setup to the Lobby Ambassador, I then imported the attributes but it does not work

    there are differences between my user defined and the Lobby admin.

    How can I add

    NCS:task2=LOBBY-AMBASSADOR-GLOBAL

     

    Or is it not possible to do what I am attempting?

     

    Thanks

     

     

     

    DB:3.19:Cisco Prime Radius Users kj


    If anyone is interested, this works for me

     

    https://supportforums.cisco.com/discussion/11553066/lobby-ambassador-profiles-acs-53

  • RELEVANCY SCORE 3.19

    DB:3.19:350ap Authorization Fails(Service Denied Service=Aironet Protocol=Shell) 3c



    I am trying to get management authentication working using TACACS from a 350AP running FW 12.0T. The requests hit the ACS server but I get the message author failed (service denied service=aironet protocol=shell). It seems that I have something wrong with the user or group level TACACS attributes but I am new to ACS. Help Please...

    DB:3.19:350ap Authorization Fails(Service Denied Service=Aironet Protocol=Shell) 3c


    Does this require certain release of ACS?

    My ACS server is at version "3.0(2) Build 5" (no service patch), and image 12.0T for the wireless APs.

    The wireless aironet users can authenticate via the ACS radius no problem, but for admin management access to the access points, I can't find the "Radius (Aironet)" attributes in the Interface Configuration section, only the "Radius (IETF)" shows up when I define the APs with "Radius (Cisco Aironet)" in "Authenticate Using".

    Any idea?? Thanks.

    Fanny

  • RELEVANCY SCORE 3.14

    DB:3.14:Adding A Tacacs Av-Pair ss



    We have some non-Cisco equipment that support TACACS for authentication. The only problem is when passing the privilege level from TACACS to the equipment. The equipment understands the attribute "priv_lvl" instead of the default "priv-lvl" supplied with ACS 3.1 for Windows.

    Is there any way with ACS 3.1 for Windows to add a TACACS AV Pair? I would like to add the "priv_lvl" attribute for TACACS. I'm pretty sure that this was possible with ACS 2.3 for UNIX because all the attributes were configured in a text file and easily changeable.

    Thanks in advance!

    J.

    DB:3.14:Adding A Tacacs Av-Pair ss


    Hi Jimmy,

    You are absolutely right that it is very easy to do it in ACS Unix. Unfortunately, with ACS NT/2K this not possible. It is limited to Radius dictionary though. So, user defined AV pair is possible only for Radius dictionary on ACS NT/2K not for ACS Unix.

    Here is the list of AV Pair supported for TACACS+:

    http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs31/acsuser/ac.htm#902411

    Here is how you can add AV pairs for Radius dictionary:

    http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs31/acsuser/ae.htm#231400

    Thanks,

    Mynul

  • RELEVANCY SCORE 3.14

    DB:3.14:Cisco Asa Cx Tacacs Via Acs pd



    I have started working with an ASA5512-X with AVC and Web Essentials enabled. Now i would like to integrate this module with our default way of working for network management. Normally we use ACS with Tacacs for network management. Is it possible to integrate? Or do i need the Central Prime Security Manager for this?

    DB:3.14:Cisco Asa Cx Tacacs Via Acs pd


    I'm not sure about single device mode (on-box PRSM) but if you use the separate PRSM (multiple device mode or "off-box") and have integrated with a directory realm, you can add remote users belonging to that realm to PRSM.

    You cannot at this time use TACACS or RADIUS as a directory realm - the supported types are LDAP, Active Directory and SSO.

  • RELEVANCY SCORE 3.14

    DB:3.14:Strange Problem With Cut-Through Proxy s8



    hi

    i have configured cut- through proxy on the router with acs.i am facing a strange problem .

    my routers's ethernet 3/0 interface ip add is 10.1.1.1/24 and the acs server is 10.1.1.2/24 and the host ip is 10.1.1.3/24

    my routers' e2/0 interface is connected a server running a website .

    int e2/0

    no shutdown

    ip add 20.1.1.1/24

    exit

    the webserver is running on 20.1.1.2

    my router's config

    aaa new-model

    aaa authentication login default group tacacs+

    aaa authorization auth-proxy default group tacacs+

    aaa authorization exec default group tacacs+

    tacacs-server host 10.1.1.2

    tacacs-server key cisco

    ip http server

    ip http authentication aaa

    ip access-list 101 permit tcp host 10.1.1.2 eq tacacs host 10.1.1.1

    ip auth-proxy name auth http

    int e3/0

    no shutdown

    ip add 10.1.1.1/24

    ip access-group 101 in

    ip auth-proxy auth

    exit

    on the acs server in the tacacs+ ios

    i have selected auth-proxy in the services for users and groups

    i have created a user john with privilege level 15

    have selected auth-proxy and custom attributes

    proxyacl#1=permit tcp any any priv-lvl=15

    i get the auth-proxy login page when the host on 10.1.1.3 is trying to access 20.1.1.2 web site .

    after putting the login credentials i get authentication failed

    i tried the debug. i see the router is sending the authentication login and password and getting the status from the acs as pass. i also see the auth-proxy triggered. in there i see

    AUTH-PROXY PROTOCOL NOT CONFIGURED.

    could someone pls help me what could be the problem. i am have tried many times to get this work. but not fortunate enough.

    am i missing on any commands on the router or on the acs. i tried doing as the example mentioned in the student guide but still failed. pls help. waiting for some reply.

    sebastan

    DB:3.14:Strange Problem With Cut-Through Proxy s8


    After you have finished configuring the HTTPS server, you must configure the authentication proxy (globally and per interface). For information on completing this task, refer to the section "Configuring the Authentication Proxy" in the chapter "Configuring Authentication Proxy" of the Cisco IOS Security Configuration Guide, Release 12.2.

    Verifying HTTPS Authentication Proxy

    http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122limit/122y/122yu11/ftfwhttp.htm

  • RELEVANCY SCORE 3.13

    DB:3.13:Forticlient Ipsec Vpn Authentication With Acs 5.X 87



    Hi,

    I am trying to authenticate the Forticlient IPSEC VPN users with ACS 5.x via radius or tacacs. Is authentication possible by using tacacs?

    For radius, what are the Radius attributes to be configured on the ACS? Please help. Appreciate your response. Thanks.

    Regards,

    jembaldovino

    DB:3.13:Forticlient Ipsec Vpn Authentication With Acs 5.X 87


    I have found a very good guide, please have a look, it may help you:

    http://docs-legacy.fortinet.com/fgt/handbook/50/5-0-5/fortigate-authentication-50.pdf

  • RELEVANCY SCORE 3.12

    DB:3.12:Administration Menue On Prime (2.0) Is Missing After Tacacs+ Login 83



    I exported all shown tasks (174) from "root" export task list to ACS. [Role0=Root]

    After login I miss the "Administration" menu.

    Which task is missing?

    An additional question: Where can I disable the auto-logoff timer?

    Logout idle user (Preferences) has not function.

    Regards Sven

    DB:3.12:Administration Menue On Prime (2.0) Is Missing After Tacacs+ Login 83


    I exported all shown tasks (174) from "root" export task list to ACS. [Role0=Root]

    After login I miss the "Administration" menu.

    Which task is missing?

    An additional question: Where can I disable the auto-logoff timer?

    Logout idle user (Preferences) has not function.

    Regards Sven

  • RELEVANCY SCORE 3.08

    DB:3.08:Cisco Prime Infrastructure 1.3 Tacacs+ Authorization Problem 7s



    Hello,

    We are having trouble setting our new installation of Cisco PI 1.3 to work with Tacacs+ configured on ACS 4.2.

    We have followed procedure explained in Cisco PI 1.3 configuration guide and in Tacacs+ logs we can see that we have successful authentification but authorization is unsuccessful:

    21/05/2013,16:36:44,Authen OK,pradoicic,admins,192.168.187.109,,192.168.187.109,wifi-prime-p-vm01,AP,ACS1AERO,1,,,192.168.187.109,No Filters activated.,,,No,

    21/05/2013,16:36:44,Author failed,pradoicic,admins,192.168.187.109,,Service denied,protocol=HTTP service=NCS,NCS HTTP,192.168.187.109,wifi-prime-p-vm01,AP

    We have added user group into ACS as is explained in configuration gude and we have also tried to add virtual domain at the beggining or at the and of the list but that didn't solve our problem.

    Is there anything that we can do in order to make Cisco PI to authentificate users using Tacacs+?

    Any help in finding solution for this problem will be very appreciated.

    Regards,

    Jelena

    DB:3.08:Cisco Prime Infrastructure 1.3 Tacacs+ Authorization Problem 7s


    Hi!

    I had problem with autorization on Linux-based Tacacs+ server.

    Solution - you need to add service NCS to your admins group in .../tac_plus.cfg with all tasks from Prime Task List, like:

            service = NCS {

                    virtual-domain0=ROOT-DOMAIN

                    role0=Admin

                    task0="View Alerts and Events"

                    task1="Run Job"

                    task2="Device Reports"

    .......

    Without " " it wont work!

  • RELEVANCY SCORE 3.06

    DB:3.06:Acs 5.3 Configure Attributes In Huawei j3



    Necesito configurar atributos como restringir comandos en los equipos Huawei desde el ACS 5.3. Preferiblemante por TACACS sino RADIUS. Si me pueden ayudar debido a que no encuentro información de que configurar en el ACS.

    Gracias.

    I need to set attributes such as restricting Huawei commands on routes from the ACS 5.3. But Preferiblemante by TACACS if not RADIUS. If I can help because I can not find that information in the ACS setting.

    Thanks.

    DB:3.06:Acs 5.3 Configure Attributes In Huawei j3


    Necesito configurar atributos como restringir comandos en los equipos Huawei desde el ACS 5.3. Preferiblemante por TACACS sino RADIUS. Si me pueden ayudar debido a que no encuentro información de que configurar en el ACS.

    Gracias.

    I need to set attributes such as restricting Huawei commands on routes from the ACS 5.3. But Preferiblemante by TACACS if not RADIUS. If I can help because I can not find that information in the ACS setting.

    Thanks.

  • RELEVANCY SCORE 3.06

    DB:3.06:Tacacs+ Configuration On Nexus 7000 pd



    Table of Contents

  • RELEVANCY SCORE 3.06

    DB:3.06:Tacacs Proxy On Acs5.Ppt f7



    Tacacs Proxy on ACS-5.3

  • RELEVANCY SCORE 3.06

    DB:3.06:How Is It Possible To Assign A Static Client Ip Address With Tacacs In Acs 5.X fc



    Hello,

    i have an ACS 5.6 in use. The used Authentication Protocols are RADIUS and TACACS.

     

    With RADIUS it is no Problem to assign a static ip address to an user with radius attributes that are stored in Authorization profiles.

    Is it possible to assign a static ip address to an existing user in the ACS Server with TACACS?

     

    Thanks in Advance and Kind regards

    Fabian Wrba

     

     

    DB:3.06:How Is It Possible To Assign A Static Client Ip Address With Tacacs In Acs 5.X fc


    Hello,

    thanks for your fast answer!

    I try to give you an Explanation what exactly I want to do:

    I have installed a new ACS 5.6 Server in our Network. Until then we have an ACS 4.2 in use. At the Moment i have changed 95% of users from ACS 4.2 to ACS 5.6. These 95 % are all use RADIUS and they use Network Administration with Authorization Profiles (Assign static IP Adress to User). There is no Problem!

    The remaining 5 % of Users(Cisco 700 ISDN Router) use the TACACS protocol. At the Moment it works with ACS 4.2 because here it is possible to assign them a static ip address. On the ACS 5.6 i cant find a way to do this because as you already say it is apparently only device Administration possible.

    My Question is, is it even possible, with TACACS+ and the ACS 5.6, to assign static IP addresses as on the ACS 4.2 and if so how?

     

    Kind regards

    Fabian Wrba

     

  • RELEVANCY SCORE 3.06

    DB:3.06:Wlse Tacacs+ Management In Acs 5.2 13



    Hi, I cannot access WLSE, after migration from ACS 4.2 to ACS 5.2.

    WLSE was configured with tacacs+ management.

    In ACS 5.2 I've configured the optional custom attributes: groups = "System Admin"

    thanks in advance

    rs

    DB:3.06:Wlse Tacacs+ Management In Acs 5.2 13


    Hi, following a screenshot of an ACS 4.2:

    thanks

    rs

  • RELEVANCY SCORE 3.05

    DB:3.05:Why Does Lms 4.2.5 Physical Server Take Over 3 Minutes To Log Into Everytime? xk



    We have installed our new LMS 4.2.5 physical appliance and the Prime Infrastructure physical appliance.

    When I log into the PI server it's about 2 to 3 seconds, when I log into the LMS server it's about 3 to 4 minutes.

    When using local login for the LMS server it takes 2 minutes or a bit longer but still slower than it should be.

    Both servers are on TACACS+ for AAA pointing to the same TACACS+ servers.

    Has anyone experienced this before?

    I googled around to see if there is some extra checking being done by LMS before allowing you access but no information.

     

    ej

    DB:3.05:Why Does Lms 4.2.5 Physical Server Take Over 3 Minutes To Log Into Everytime? xk


    Found the reason, I told it to use TACACS+ to authenticate when I first built it so I could test it. I then got distracted from my task and when I returned forgot about it. Until someone pointed it out after reviewing the logs and thought that might be it. Yes it was so that's taken care of.

     

    ej

  • RELEVANCY SCORE 3.05

    DB:3.05:Bulk Update Of Cli Credentials In Prime 2.1 aj



    I have a number of devices in Prime 2.1 which use a managment TACACS account plus SNMP to talk with Prime. The managment TACACS account password has now been changed and thus Prime is not able to use this account to manage the devices. This there a way to update all of my devices in Prime with the new password at once?

    Many thanks MIke 

    DB:3.05:Bulk Update Of Cli Credentials In Prime 2.1 aj


    Hi Doug,

     

    History of the information is not lost until you delete the devices from Prime Infrastructure ..

     

    Yes Export and Import should be fine ..

     

    **One suggestion ,use Editor tool like Notepad++  to edit the credentials in the file.. Excel sometimes create issue while you edit the credentials..

     

     

    Thanks-

    Afroz

    ***Ratings Encourages Contributors ****

     

  • RELEVANCY SCORE 3.04

    DB:3.04:Prime Ncs: Tacacs+ Integration Into Acs 5.1 x9



    Hello,

    i'd like to integrate TACACS+ Integration into NCS.

    I configured my ACS 5.1 correctly, but I get an "Access is denied to NCS" at the web login page. In the ACS i see a successful authentication.

    Any ideas?

    regards

    Alex

    Here is my Shell Profile Configuration

    DB:3.04:Prime Ncs: Tacacs+ Integration Into Acs 5.1 x9


    Yes that's correct. You map the AD users to roles.Sent from Cisco Technical Support iPad App

  • RELEVANCY SCORE 3.04

    DB:3.04:Username Problem In Prime Lms 4.1 9p



    Hello everyone,

    I just installed Cisco Prime LMS 4.1, and now I want the user authentication to integrate with my TACACS server. I try to add my users with the same username as they appear in Tacacs, but in LMS when I try to add a user that has a dot in it, ex: "smith.j" it says that the "." is an invalid character. Is there a way around that, because I don't want to rename every user in Tacacs, plus the fact that I want to integrate Tacacs with LDAP soon.

    Thanks a lot for your help.

    Patrick Vezina

    Technical Advisor

    DB:3.04:Username Problem In Prime Lms 4.1 9p


    There is also a policy for usernames in LMS.

    Admin - System - User Management - Local User Policy Setup

    That currently says no dot in the name, which I believe is a good thing actually :-)

    Check that first.

    Cheers,

    Michel

  • RELEVANCY SCORE 3.03

    DB:3.03:Prime Lms 4.2 Soft Appliance Process Issue p3



    Hi all,

     

    I'm in a big confusion, I install a fresh Prime LMS 4.2 (without the Patches) on VM (after the old one crashed with no way of recover all the data),

    The installation went ok, I got to the GUI I started to cosmaticaize a few minutes after I change the login through TACACS+.

    I stop the service in the Shell and even reload the machine but still I didn't succeeded to login the WEB,

    I checked the process's and i saw that all the main's one are in Never Started mode (ANIServer, Aphche, DCRclient, DCRServer),

    I tried to enable them manually but i just getting a messages that says the demon are starting please wait (i waited 30 min')

    Can someone advice and help,

    Thanks

    DB:3.03:Prime Lms 4.2 Soft Appliance Process Issue p3


    Hi all,

     

    I'm in a big confusion, I install a fresh Prime LMS 4.2 (without the Patches) on VM (after the old one crashed with no way of recover all the data),

    The installation went ok, I got to the GUI I started to cosmaticaize a few minutes after I change the login through TACACS+.

    I stop the service in the Shell and even reload the machine but still I didn't succeeded to login the WEB,

    I checked the process's and i saw that all the main's one are in Never Started mode (ANIServer, Aphche, DCRclient, DCRServer),

    I tried to enable them manually but i just getting a messages that says the demon are starting please wait (i waited 30 min')

    Can someone advice and help,

    Thanks

  • RELEVANCY SCORE 3.02

    DB:3.02:Tacacs+ 7x



    How to implement TACACS+ security on my network

    DB:3.02:Tacacs+ 7x


    In addition to what ciscooderator said, you

    might want to check out the following resources:

    Book: Cisco IOS Network Security, put out by Cisco, has scenarios and commands for TACACS+ deployments.

    But of course, since you're online, you might want to check out the security tech-tips page.

    http://www.cisco.com/warp/public/707/index.shtml

    Your post didn't have a lot of detail to it, so I have no idea what you want to do with TACACS+ - suffice to say you can do quite a bit with it :-)

    Hope this helps

    -Rakesh

  • RELEVANCY SCORE 3.00

    DB:3.00:Can I Force Users To Log Into Prime With Classic Theme By Default? c7



    I have recently installed Prime 2.1 and just configured Tacacs. Coming from WCS I am used to the classic theme. I would like to force users when they log in to automatically be in classic theme but I cannot find any info on that.

    Anyone has an idea?

    DB:3.00:Can I Force Users To Log Into Prime With Classic Theme By Default? c7


    Afroz,

     

    Unfortunately TAC wasn't able to help me and since I don't have a lot of users (5-10) I chose to tell my users about both views and have them switch on first login. It was faster than escalating to another engineer...

    TAC mentioned that in the next Prime version Classic View will be depreciated too...

    :(

    thanks for your help.

     

  • RELEVANCY SCORE 2.99

    DB:2.99:Using Tacacs+ Auth From Acs 5.1.0.44 To Ace. Having Issues With Shell (Exec) zk



    Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)

    So I am trying to get TACACS+ auth to work for my ACE.

    The command string that I have on the ACE is as follows:

    tacacs-server host 172.16.101.4 key 7 XXXYYYZZZ timeout 15

    aaa group server tacacs+ tacacs+

      server 172.16.101.4

    aaa authentication login default group tacacs+ local

    aaa authentication login console local

    aaa accounting default group tacacs+ local

    But to finish getting this enabled I need to create some sort of shell (exec) string in the ACS that tells the ACE what permission level to allocate.

    I do not know how to do this on the ACS 5.1.0.44.

    Anyone know?

    TAC made a good suggestion but the command path doesn't seem to line up with my version of ACS.

    Thanks for your reply. About this question:

    shell:Context*Role Domain

    What I meant is that you need to check the following couple of things on

    your ACS server in order to have AAA Tacacs users to login into the

    ACE over the context with superuser ritghts.

    Group setup ‑ users ‑ TACACS + Settings ‑ enable Shell(exec)

    ‑ enable Custom attributes ‑ right below this part you need to

    use the following sintax to link the ACE context that this user

    has access to.

    For example:

    shell:Context*Role Domain

    shell:Admin*Admin default‑domain

    Where this user will have access to the Admin context with the role

    admin using the 'default‑domain'

    DB:2.99:Using Tacacs+ Auth From Acs 5.1.0.44 To Ace. Having Issues With Shell (Exec) zk


    Nevin Absher assisted me with one last aspect that I didn't understand. The ACS needs to pass a role as well so my shell attribute looks like this:

    shell:Admin Optional Admin default-domain

    Thank you for your help on this issue!

  • RELEVANCY SCORE 2.98

    DB:2.98:Cisco Prime Infrastructure 2.0 Tacacs+ Functionality fp



     Hello Forum Team!

       Does Cisco PI 2.0 can act as a full TACACS+ server (this is for the replacement of an ACS 1113 Hardware)?

     

    Thanks in advanced!

    DB:2.98:Cisco Prime Infrastructure 2.0 Tacacs+ Functionality fp


    No.

    PI 2.0 is a network management system. It has no AAA server functionality (either TACACS+ or RADIUS).

    PI 2.0 can use an external TACACS etc. server for authentication but that's about the extent of it.

  • RELEVANCY SCORE 2.98

    DB:2.98:Asa 5505 /Vpn/Radius kd



    Hello

    Trying to configure VPN access via radius on ASA 5505

    Trying to test authentication, but geting an errror see below

    Thanks

    aaa-server RADIUS protocol radius

    aaa-server RADIUS (inside) host x.x.x.x

    key *****

    radius-common-pw *****

    aaa-server TACACS+ protocol tacacs+

    aaa-server radiusserver protocol radius

    aaa-server radiusserver (inside) host x.x.x.x

    key *****

    tunnel-group remoteusers type remote-access

    tunnel-group remoteusers general-attributes

    address-pool vpn

    default-group-policy remoteusers

    tunnel-group remoteusers ipsec-attributes

    pre-shared-key *****

    fw# test aaa-server authentication radius host x.x.x.x username xxxx password xxxxx

    ERROR: aaa-server group radius does not exist

    DB:2.98:Asa 5505 /Vpn/Radius kd


    Your group name is radiusserver, not radius, you should be able to use the following:

    test aaa-server authenticat radiusserver host x.x.x.x username xxxx passworkd xxxxx

  • RELEVANCY SCORE 2.96

    DB:2.96:Cisco Prime Device Access Control Via Tacacs Authentication fc



    Hi,

    I  have deployed a Cisco Prime Lan Management Server and I have configure  for TACACS authentication and authorization for users accessing the  Prime box via Cisco ACSv5.2. As I have two groups of users, I would like  to restrict the access right to the Cisco Prime for these two groups of  users (access rights of Helpdesk for one group and Super Admin for  another group). I am able to authencated successfully via the Cisco  ACSv5.2 however I am always seem to be given the rights of Helpdesk  only.

    Please advice.

    Many Thanks in Advance.

    Rgds

  • RELEVANCY SCORE 2.95

    DB:2.95:Tacacs Server. 8c



    Recomend a good and FREE tacacs server around please.

    DB:2.95:Tacacs Server. 8c


    It's by no means as fully-functional as ACS, but I use it in my lab, and it does the job. It is based on the old tac_plus software developed by Cisco:

    ftp://ftp.shrubbery.net/pub/tac_plus/

    (Source code only)

  • RELEVANCY SCORE 2.93

    DB:2.93:Acs 5.4 Tacacs Authorization Asr 9001 x1



    Hi

    can someone help with tacacs attributes to authoriezed users on cisco asr 9001(ios/xr)

    thanks

    Yoram

    DB:2.93:Acs 5.4 Tacacs Authorization Asr 9001 x1


    Thanks Yoman you are most welcome.

    Can you share with us what task and what user group you used? if someone faces same your issue it will be useful to them.

    Rating useful replies is more useful than saying "Thank you"

  • RELEVANCY SCORE 2.91

    DB:2.91:Acs4.X To Acs5.1 - Migrating Tacacs New Services 77



    .How can we migrate tacacs support for other software into acs5.1?  This  is supported in ACS4.x in the New Services section of the Interface  Configuration tab and appears in the User Group attributes at the bottom  of the tacacs section.  We actually have some custom attributes in  those entries.

    DB:2.91:Acs4.X To Acs5.1 - Migrating Tacacs New Services 77


    ACS 5.1 has a differnt policy based approach to assigning priveleges as opposed to ACS 4.x where these were stored

    in either the user/group definitions.

    Won't go into all the explanations on this. You have some good materials on the "Welcome" page in the GUI

    Out the box, all TACACS+ requests get handled by the "Default Device Admin" policy

    You can see the authorization results by going to: "
    Access Policies Access Services Default Device Admin Authorization"

    If you click on Defaltl to see the ersults for the default rule and then press "Create" you can now create a new set of TACACS+ attribute to be returned. Go to the "Custom Attributes" tab and you can the custom attributes.

    This describes how to do it out the box. Thsi wil evolve as you build up your policies

  • RELEVANCY SCORE 2.91

    DB:2.91:How To Setup Acs 5.1 To Provide Tacacs+ Vsa/Options/Av-Pair For Nexus? dk



    I am trying to setup ACS 5.1 to pass the VSA attributes as defined in the NX-OS config guide, but I cant find TACACS+ VSA as an option in ACS 5.1, only RADIUS VSA.

    From config guide:

    "

    The Cisco TACACS+ implementation supports one vendor-specific option using the format
    recommended in the IETF specification. The Cisco vendor ID is 9, and the supported option is vendor

    type 1, which is named cisco-av-pair. The value is a string with the following format

    "

    Any ideas on where to look and how to do this?

    DB:2.91:How To Setup Acs 5.1 To Provide Tacacs+ Vsa/Options/Av-Pair For Nexus? dk


    You can define it in "Policy Elements  Authorization and Permissions  Device Administration Shell Profiles" by using the format mentioned in NX-OS guide in the link below.

    http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/security/configuration/guide/Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_5.x_chapter6.html#con_1473445

  • RELEVANCY SCORE 2.91

    DB:2.91:Prime Lms 4.2.1 Netconfig And Template Tftp/Ssh Issue kk



    I have cisco Prime 4.2.1 installed and am trying to deploy templates and Adhoc Netconfigs. The jobs are failing with the following message:

    Command(s) failed on the device TFTP: Failed on the device. SSH: Failed to establish SSH connection to 10.104.114.231 - Cause: Authentication failed on device 3 times.

    If I deploy a Netconfig Task, say just adding a Syslog Server to the same switch it succeeds, no problem.

    I am using Cisco ACS 5.2 - TACACS and have configured the tacacspromtps.ini file for the username and password prompt. I can log onto the switch with the Prime Account no problem using Telnet. SSH has not been configured on the switch. I can't find where the protocols for connecting to devices are configured within Prime LMS?        

    DB:2.91:Prime Lms 4.2.1 Netconfig And Template Tftp/Ssh Issue kk


    hi gary,

    based on my understanding, its because the device is not configured with SSH.

    is the device running SSH enabled (K2 or K9) image? if yes, you can enable the SSH.

    if no, then perhaps you want to try find it here to change it to telnet

    http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.2/user/guide/configuration/appa.html

    regards,

  • RELEVANCY SCORE 2.89

    DB:2.89:Tacacs+ Server Configuration On Windows mj



    Hi,

    I am using Cisco Secure ACS 3.2 on windows 2003 server and my question is how to configure vendor specific TACACS+ service and attributes in the TACACS+ server.

    could you please anybody help me?

    thanks,

    janardhan

    DB:2.89:Tacacs+ Server Configuration On Windows mj


    Hi

    Goto "Interface Config" then "TACACS+ (Cisco IOS)"

    Enter your custom service/protocol name.

    Tick the "Display a window for each service selected in which you can enter customized TACACS+ attributes" box

    In the group edit page you should now be able to enable the service and enter custom attributes.

    Darran

  • RELEVANCY SCORE 2.89

    DB:2.89:Configure Juniper Networks Permissions In Tacacs? j1



    Hi Guys

    I have my SecureACS working well with Cisco devices, and have just completed a basic tacacs setup that works on my Juniper routers.

    I want to use the groups already defined in ACS to deploy permit/deny commands to for the Juniper routers - how is this done within Secure ACS for windows?

    I can see how its done in unix:

    To specify these attributes, include a service statement in the TACACS+ server configuration file of the following form:

    service = junos-exec {

    local-user-name = username-local-to-router

    allow-commands = "allow-commands-regexp"

    deny-commands = "deny-commands-regexp"

    }

    Any ideas? Thank you guys

    DB:2.89:Configure Juniper Networks Permissions In Tacacs? j1


    We have do some tests ACS with Juniper.

    I "Interface configuration" add new servies junos-exec without anu protocol, set user and groups (what you prefer), and you can see at user/group configuration new service.

    Mark junos-exec as active, mark Custom attributes and enter e.g.:

    local-user-name=users1

    allow-commands=(show version)|(show configuration)

    It should work. :)

  • RELEVANCY SCORE 2.88

    DB:2.88:Attribute Definition Syntax j8



    Hi !

    I planned to migrate our MDS switches to TACACS+ for AAA services.  I the documentation I find some different way to defining attributes :

    http://www.cisco.com/en/US/docs/storage/san_switches/mds9000/sw/rel_2_x/fm/configuration/guide/radius.html#wp1224864

    shell:roles="network-admin"

    DB:2.88:Attribute Definition Syntax j8


    Whether you put shell: or cisco-av-pair: depends on the RADIUS server.

    The * instead of the = makes the attribute optional rather than mandatory. This will have relevance if those attributes will be sent to all devices in which the user logs in, in that case you will want to make the attributes optional or the device might fail authorization if it doesn't know what to do with a mandatory attribute (IOS, for example, will fail authorization if it receives a role assignment as mandatory).

  • RELEVANCY SCORE 2.87

    DB:2.87:Tacacs+ Custom Attributes For Adding Nortel Devices cs



     

    Dear All,

     

    Can anyone tell me what 'Custom Attributes' do we need to add for Nortel devices to communicate with Cisco ACS 4.2...?

     

    Thanks in advance.

     

     

    DB:2.87:Tacacs+ Custom Attributes For Adding Nortel Devices cs


    Here is the complete Document for the Nortel device configuration. go through it

  • RELEVANCY SCORE 2.87

    DB:2.87:Acs 5.0 Authentication Of Wlse, Wlc, Mds Ace 91



    I am looking at an ACE 5.0 deployment. The doco mentions that TACACS custom attributes are not supported. Is there an alternative method to authenticate MDS and ACE devices with TACACS, which both use TACACS custom attributes.

    Additionally, WLC's and WLSE use some other sort of TACACS custom attributes (at least, they're configured differently in ACS 3.x / 4.x).

    DB:2.87:Acs 5.0 Authentication Of Wlse, Wlc, Mds Ace 91


    I thought I would bump this post in case someone may be able to answer my original question.

  • RELEVANCY SCORE 2.87

    DB:2.87:Rme: Tacacs Enable Passw.Shows Incorrect Under Check Device Attrib. Why ? jx



    Hello all,

    I have installed CiscoWorks 2000 (CD One 5th Edition ver. 1.2 and RME 3.4) on a Windows 2000 server platform.

    We are using TACACS+ as means of authentication for users. I created a TACACS+ account only to be used by CiscoWorks2000.

    WHen I go to RME - Admin - Inv - Check Device Attributes - select the device - Next - The TACACS section

    shows as INCORRECT. I have make sure I entered the right account userid and password setup in the TACACS+ DB. When I entered

    the device passwords or making other changes, I made sure I marked the fields not utilized as delete on the right hand side

    of the "Change Login Authentication information" window.

    When I entered correct enable secret and TACACS+ info I still get the those sections under Check Device Attributes marked as INCORRECT only on CatOS devices.

    I do not have local userid/passwords set on devices. If tacacs+ fails I have only setup the telnet password and obviously the

    enable secret for IOS routers/switches and the enablepass for CatOS devices.

    My problem is that when I go to check device attributes, the Enable Secret and TACACS section shows as OK on IOS devices.

    On CatOS devices the enable, telnet and the TACACS section both show as INCORRECT. I have make sure I entered the same values on both IOS and CatOS devices ( 4006's) when I changed device attributes, except for the section enable secret or enable password, under the Change Enable Authentication Information window. I used enable secret only for IOS devices and enable

    password for CatOs because that's how I got them setup.

    I tried different combinations in the "Change Login Authentication information" the "Change Enable Authentication Information" windows. None of them showed the Enable or TACACS sections as OK.

    I need this setup correctly so I can use Software Manager and Config Manager. Can I use these 2 apps even though the device

    attributes of the devices shows as INCORRECT ?

    Can anybody shed some light on this problem?

    Many thanks for taking the time to look at my problem.

    DB:2.87:Rme: Tacacs Enable Passw.Shows Incorrect Under Check Device Attrib. Why ? jx


    edit the file TacacsPrompts.ini located under /opt/CSCOpx/objects/cmf/data dir

    add passcode

    PASSWORD_PROMPT=Password:,password:,passwd:,PASSCODE:

    stop/start the daemon manager

    (/etc/init.d/dmgtd stop followed by /etc/init.d/dmgtd start)

  • RELEVANCY SCORE 2.87

    DB:2.87:Tacacs+ Authentication 79



    Is anybody successfully utilizing Linux for the TACACS+ or RADIUS authentication?

    Thanks

    DB:2.87:Tacacs+ Authentication 79


    On my previous job i used Linux as primary AAA server (tac_plus) for 6 years. Appx 1000 dial-up lines with high load.

  • RELEVANCY SCORE 2.86

    DB:2.86:Acs 5.5 Configuration Example? Multi-Site Ideas... mf



    Hi Folks,Working on deploying ACS 5.5 in a multi-site (5+) environment.  With groups going away, what is the best way to allow location based access?.  So far, I have the following - but it seems way overcomplicated.

     

    Each device is assigned a location in the NDG

    User Attributes: Location Restriction (string)

    Device Restrictions - Enumeration (e.g. Router: Read or Read/Write or No Access)

     

    Access Service Selection - Each site has its own TACACS and RADIUS Access Service(e.g. SITE_A-TACACS, SITE_A-RADIUS, SITE_B-TACACS....etc)Matches are done on NDG Location and Protocol

    Each SITE Access service (SITE_A-TACACS) has role based policies per device type. The following is an authorization policy for SITE_A Router Admin Access

    Router Admin Policy

    Check User Attribute: Device Restrictions: Enumeration Value: Router Admin

    AND

    - Check User Attributes: String: Location Restriction ( IF CONTAINS ) SITE_A OR

    -Check User Attributes: String: Location Restriction ( IF CONTAINS ) None

    Shell: Router Admin

    Command Set:  Router Admin

    It works great, however, that means the rules need to be duplicated if a new site is brought online.  Also, if a new device type is created, say, Firewalls, an additional user attribute would need to be created and all users updated.  Additionally, all sites in the service selection would need the appropriate device type added - SITE_A,B,C,etc would need a firewall authorization profile created.

     

    Thanks for reading

    DB:2.86:Acs 5.5 Configuration Example? Multi-Site Ideas... mf


    Hello,

     

    ACS is a policy base server and as every policy server you need to comply with a set of conditions to have a result.

     

    The best way to do it is by having as condition NDG location + NDG Device Type + User AD or local group = xxxx permission.

     

    Regards,

     

    Erick Delgado

  • RELEVANCY SCORE 2.85

    DB:2.85:Adding Custom Attributes For Juniper Netscreen Tacacs+ Authentication 88


    Table of Contents

  • RELEVANCY SCORE 2.81

    DB:2.81:Integration Acs 5.2 With Other Device (Sandvine) j9



    Hi the following is to apply his usual help, I have a ACS version 5.2 (TACACS) where I require equipment integrated with Sandvine, I currently looking information and very little to manage the integration of ACS with these teams Sandvine.

    I have an information on the provider Sandvine with a guide to the case where only states:

    -------------------------------------------------- -----------------------------------

    TACACS + server

    On a TACACS + server, each user entry must allow the service "Sandvine". Within this

    service, the attribute-value pairs Following can exist:

    • An attribute named "Sandvine-Group" of type string.

    Refer to the section "Radius Server" on page 17 for an explanation of each of the

    Sandvine-specific attributes. A typical user would look as follows entry:

    {user = userA

    default service = permit

    Sandvine service = {

    Sandvine-Group = "sv_operator, sv_admin"

    }

    login = cleartext "Passa"

    -------------------------------------------------- ----------------------------------------

    Greetings and thanks for your help

    DB:2.81:Integration Acs 5.2 With Other Device (Sandvine) j9


    I want to know how to perform the integration between teams Sandvine and ACS 5.2, what are you sending me this steps for integration, only s is set indicating those commands? ACS application level that other things are configured?

  • RELEVANCY SCORE 2.81

    DB:2.81:Tacacs: Ssh Fine, Fabric Manager Problems s1


  • RELEVANCY SCORE 2.81

    DB:2.81:Radius Support On Ciscoworks Rme 3.5 For Login Device Attributes fz



    We just changed the login option on our routers/switches from tacacs to radius. In the inventory module of RME 3.5 I don't find support for radius when I try to change the login authetication information. I only see fields for tacacs login options.

    Is there support for radius? If no, is there is any way to get around it. We need to authenticate to upload/implement/reload newer images in our devices.

    Thanks for any info.

    DB:2.81:Radius Support On Ciscoworks Rme 3.5 For Login Device Attributes fz


    The Tacacs option supports Radius also. We use Radius at our site and I have never had a problem with authentication using CiscoWorks.

  • RELEVANCY SCORE 2.80

    DB:2.80:Can Prime Report On What Devices Are In Prime But Not Running Ssh Or Tacacs+ xc



    I currently have 150+ switches and routers in Prime Infrastructure 2.1. I was looking to see if there was an easy way to run a report on the switches and routers to see if any were not running SSH or TACACS+.

     

    Thanks

    DB:2.80:Can Prime Report On What Devices Are In Prime But Not Running Ssh Or Tacacs+ xc


    Configuration discrepancy reports such as you're asking about are not quite in Prime Infrastructure in any robust form. they are in Prime LMS and targeted for a future release of PI. This is noted in the functional comparison document.

  • RELEVANCY SCORE 2.80

    DB:2.80:Tacacs - Ssh Fine, Fabric Manager Not... kz


  • RELEVANCY SCORE 2.80

    DB:2.80:Tacacs Admin Mgmt Using Acs5 zm


    Does anyone know which vendor attributes are required for tacacs admin authentication. Also, how to set them up on ACS5 and values associated with each attribute.

    DB:2.80:Tacacs Admin Mgmt Using Acs5 zm

    This works with Radius, but not TACACs at this time. The Aruba Controller does not act on tacacs attributes. Check out the article here: http://airheads.arubanetworks.com/vBulletin/showthread.php?t=704



    Colin JosephAruba Customer EngineeringLooking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

  • RELEVANCY SCORE 2.80

    DB:2.80:Acs Tacacs Custom Attributes j3



    I have users that require multiple custom attributes under the TACACS configuration.  Below are the two that are required, one is for Cisco UCS and the other is for MDS.  My question is what is the format to get both of them to work for the same user?  Individually they work fine, but when both are configured for the same user, the UCS "admin" privilage seems to work, but I'm only able to get "read" for the MDS.  I've had this working before, and can't figure out what the trick was the first time around.  Thanks.

    cisco-av-pair*shell:roles*"admin"

    shell:roles=“network-admin vsan-admin”

    DB:2.80:Acs Tacacs Custom Attributes j3


    Hi there,

    We are looking at seting up UCS on TACACS.

    The one question I can't find in the documentation is what happens when TACACS server fail?

    One would assume that it would fall back to Local but I can't seem to find this information.

    Regards - TN.

  • RELEVANCY SCORE 2.79

    DB:2.79:Inventry Error az



    Hi,

    When I 'Check Device Attributes' for Telnet/Tacacs/Tacacs Enable it says NOT SUPPORTED.

    For C3550 and Catalyst 4003.

    I have RME 3.3, any ideas?!?!

    Thanks in advance.

    DB:2.79:Inventry Error az


    Hi Nhabib (Habib),

    Fanastic... thanks very much, I will give this a go and hope it works.

    Thanks,

    Vipul

  • RELEVANCY SCORE 2.79

    DB:2.79:Tacacs 9c



    Can someone explore the basics of TACACS.

    Regds

    Rajesh Barhia

    DB:2.79:Tacacs 9c


    When you create a user account within the TACACS+ program, you have the ability to assign specific commands to that user, or users, if you choose to group them together.

    The structure is similar to Windows Server/workstation, create users, create groups, assign users into those groups, apply a certain permission set to that group that all the users will then inherit.

    You can identify which commands that you will allow within the group and the users within that group will only have those commands available to them upon their logon and authentication via AAA.

  • RELEVANCY SCORE 2.79

    DB:2.79:Radius Authorization For Waas Cm Gui mf



    Hi,

    We would like to enable radius authorization to the WAAS Central Manager GUI. We are having some problems doing this. Also this is only documented for TACACS and not for Radius.

    We've seen the waas_rbac_groups attribute that can be delivered via Tacacs, can this attribute also travel in the radius attributes? We've already tried: shell:waas_rbac_groups on a Cisco-AV-Pair but that doesn't do it.

    There should be a way; knowning that the TACACS is very rare these days.

    Please help us

    Regards,

    Erik

    

    DB:2.79:Radius Authorization For Waas Cm Gui mf


    Hi,

    We would like to enable radius authorization to the WAAS Central Manager GUI. We are having some problems doing this. Also this is only documented for TACACS and not for Radius.

    We've seen the waas_rbac_groups attribute that can be delivered via Tacacs, can this attribute also travel in the radius attributes? We've already tried: shell:waas_rbac_groups on a Cisco-AV-Pair but that doesn't do it.

    There should be a way; knowning that the TACACS is very rare these days.

    Please help us

    Regards,

    Erik

    

  • RELEVANCY SCORE 2.77

    DB:2.77:Cisco Prime 2.0 User Log In Problems 1j



    I have a Cisco Prime Infrastructure 2.0 install that I am having problems with. I have completed the setup and have the devices in the program that I currently want to manage. My problem is with logging in by means of TACACS+. I followed the instructions about copying the tasks from the root user into TACACS+, but when I log in with a user in the correct group, my login doesn't get all of the options that I would get if I logged in with the root account.

    I updated my TACACS to 4.2, I can't go any higher with my current hardware, because I thought the 4.1 version might be causing the error. The update didn't help at all.

    I would appreciate any help you can give.

    DB:2.77:Cisco Prime 2.0 User Log In Problems 1j


    The real shame in this whole thing is it is Cisco's fault for putting out a bad manual. I downloaded the Admin Guide in October 2013 and it is dated September 2013 and the manual says to name the service "Prime Infrastructure". When I look for the Admin Guide online, it is dated November 2013 and it says to name it "NCS". If the manual I had downloaded had been correct, I wouldn't have had this problem to begin with. I made sure I downloaded the manual from the Cisco website too, hoping to avoid something like this and it still bit me in my backside.

  • RELEVANCY SCORE 2.77

    DB:2.77:Ios: Auth-Proxy With Tacacs zd



    Table of Contents

  • RELEVANCY SCORE 2.77

    DB:2.77:Ace 4710 A3(2.0) And Aaa / Tacacs / Acs 3d



    Hi,

    I have recently opened a TAC case on an issue I'm having with authenticating user via TACACS on the ACE 4710.

    The TAC engineer is telling me that for the authentication to work I need that same user to also have an account on the proper context (Admin context in this case). For example if I get a ACS account named netadmin, I will also need to create that account on the ACE 4710 (Kind of like MARS...).

    Is this true?

    From the past posts I have read it seems people have gotten this to work by using the following two steps:

    A. Configure ACS properly

    1. Select user

    2. Scroll down to tacacs+ setting

    3. check "shell(exec)" option

    4. check "custom attributes"

    5. Add the custom AV-Pair info in the following format:

    shell:Admin*Admin default-domain.

    6. Save / and then stop/start ACS services

    B. Configure the ACE

    tacacs-server host a.b.c.d key XXXXXX

    aaa group server tacacs+ TACACS

    server a.b.c.d

    aaa authentication login default group TACACS local

    aaa authentication login console none

    aaa accounting default group TACACS local

    aaa authentication login error-enable

    Are there people out there using this successfully without the ACS accounts needing to also be on the ACE?

    Thanks in advance!

    Brad

  • RELEVANCY SCORE 2.77

    DB:2.77:Acs 5.0 No Directory Groupdirectory Attributes? 1p



    Hi

    I have CSACS 5.0 here. I checked the external identity stores active directory but there is no option for directory groups and directory attributes.

    Can someone guide me on this.

    Also, whe i configure from my router to communicate with ACS like this:

    aaa authentication login default group tacacs+

    aaa authentication enable default group tacacs+ enable

    I cannot authenticate, error said authentication failed. Is my configuration is wrong or do I need to add other configuration for authentication

    thank you and best regards

    DB:2.77:Acs 5.0 No Directory Groupdirectory Attributes? 1p


    Hi

    I have CSACS 5.0 here. I checked the external identity stores active directory but there is no option for directory groups and directory attributes.

    Can someone guide me on this.

    Also, whe i configure from my router to communicate with ACS like this:

    aaa authentication login default group tacacs+

    aaa authentication enable default group tacacs+ enable

    I cannot authenticate, error said authentication failed. Is my configuration is wrong or do I need to add other configuration for authentication

    thank you and best regards

  • RELEVANCY SCORE 2.76

    DB:2.76:Custom Application To Set/Get Tacacs+ Information A User af



    Hi,

    I have to develop a custom application that sets/gets TACACS+ information for a particular user profile.

    I was able to set values in "TACACS+ Enable Control" form and "TACACS+ Enable Password" form using action code 105.

    But I am not able to set "Use separate password" flag and separate password in "TACACS+ Enable Password" form,

    and TACACS+ Outbound Password . Can somebody give me the actioncodes and show how the entries in accountactions.csv file

    will look for the mentioned operations that is:

    1) to update TACACS+ outbound password, and

    2) to set "Use separate password" flag and separate password in "TACACS+ Enable Password" form

    My next question would be:

    How do we retrive TACACS+ outbound password and attribute values in "TACACS+ Enable Password" form dump.txt

    I was able to retrieve values for attributes in TACACS+ Enable Password" form

    Following is a sample entry in dump.txt for these attributes:

    App01 enable_passwd ESTRING 0x0018 6a 35 9b 76 ce c3 81 9c 6d 1c d5 41 06 1a 4e 07 92 8d 50 06 de d4 2a 89

    App01 max_priv STRING 0,3 (used for attributes in TACACS+ Enable Password" form)

    App01 max_priv_LENGTH INTEGER 3

    I also checked the link:http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.0/user/guide/ag.html

    But I did not find satisfactory information.

    Please reply ASAP, your help will be most appreciated.

    Ravi

    DB:2.76:Custom Application To Set/Get Tacacs+ Information A User af


    Hi,

    Could you give examples for cases 1) and 2).

    Could you provide an alternate way to retrieve values especially TACACS+ Enable Password attributes. I am lost here.

    Awaiting your reply,

    Ravi.

  • RELEVANCY SCORE 2.76

    DB:2.76:Tacacs+ Custom Attributes Disappear?! f1



    Hi, I'm running ACS 4.1(4) Build 13 Patch 1

    and a weird thing is happening:

    I need to make a user an admin on a nexus switch, so I'd like to add the Tacacs+ custom attribute cisco-av-pair*shell:roles=”network-admin” to the user.

    I can do that all right, submit it with out any error message but when I look at the user right after that the custom attribute box is blank and both the custom attributes and "Shell" checkboxes are cleared. I have no idea where to start looking, anyone have any clues?

    /Olof

    DB:2.76:Tacacs+ Custom Attributes Disappear?! f1


    Thanks, but it did not help.

    I was already running 1.6.0_16 and tried with both IE6 and Firefox and also attempted to edit it with IE6/JRE 1.5.0_12.

    Still disappears.

    Thanks anyway for the effort!

    /Olof

  • RELEVANCY SCORE 2.76

    DB:2.76:Acs Group Not Working pj



    Currently running ACS 4.2.  Trying to assign UCS access using a group.  Did the following:

    1) Created a group call Server Admin

    2) In the TACACS+ Settings - select Shell (exec)

    3) In the TACACS+ Settings - select Custom attributes

    4) In the TACACS+ Settings - enter - cisco-av-pair=shell:roles="admin"

    5) Assign a user (with default user settings) to Server Admin group

    When the user tries to login to UCS they get the following error message:

    Login Error: Failed login info: Authentication failed.

    If I assign the above settings (from the group information above) to the user, the user (not using a group) can login to UCS.  Isn't the  purpose of the Group is to allow you tooup of  assign security attributes to a group of users instead of assigning these attributes to each user seperatly?

    DB:2.76:Acs Group Not Working pj


    Please change the av-pair format. It looks as if your are using the radius format and not the TACACS try using shell:roles*admin (keep in mind the using = will break tacacs authentications to your IOS devices). * makes this attribute optional.

    Give it a try and that should get your rolling.

  • RELEVANCY SCORE 2.74

    DB:2.74:Cisco Prime Lms 4.2 Tacacs Auth Acs 5.4 97



    Hello,

    We have authentication established between LMS 4.2 and ACS 5.4 but having issues associating users with the Super Admin role.  Currently the default role configured on LMS is the Help Desk role and that's what users are getting associated with when getting authenticated via ACS.  I attempted to configure ACS to send back a custom shell profile with "role0 = Super Admin" (similar to Prime Infrastructure 2.1) but that doesn't appear to be working.  How do I need to configure ACS 5.4 to send back the appropriate role?

    Thanks,

    Brian

    DB:2.74:Cisco Prime Lms 4.2 Tacacs Auth Acs 5.4 97


    Hi Brian,

    what Vinod said is absolutely correct , I think I overlooked the problem and thought you are trying to Integrate PI with ACS.

     

    From LMS 4.x onwards Integration with ACS has changed as we don't depend on ACS anymore for authorization.it is done locally through the LMS ONLY.

     

    Thanks-

    Afroz

  • RELEVANCY SCORE 2.74

    DB:2.74:Cmx Analytics And Tacacs 1c



    Hi

    Does anyone know if it is possible to enable TACACS on and MSE in order to get access to the Location Analytics serivce? http://MSE-IP-Address:8080/ui

    I know is possible for Cisco prime because is actually working in my network, but I've been trying to log into Analytics with my AD credentials and it just does not work.

    I had to create a local user in the MSEUser section             

    DB:2.74:Cmx Analytics And Tacacs 1c


    Hi

    Does anyone know if it is possible to enable TACACS on and MSE in order to get access to the Location Analytics serivce? http://MSE-IP-Address:8080/ui

    I know is possible for Cisco prime because is actually working in my network, but I've been trying to log into Analytics with my AD credentials and it just does not work.

    I had to create a local user in the MSEUser section             

  • RELEVANCY SCORE 2.74

    DB:2.74:Catalyst Device Attributes xp



    It seems like no matter what I do, I can't put the right telnet passwords in for the device attributes. Everytime I check the device attributes it comes back and tells me the passwords are wrong, when I know they are right. All the IOS switches work, however the catalyst do not. It comes back as incorrect on the local telnet passwords and the tacacs telnet passwords.

    DB:2.74:Catalyst Device Attributes xp


    Thank you for pointing me in the right direction. It turns out that it was the bug CSCdt73764. I had to put a '' at the end of the prompt and everything worked fine. Thank you again

  • RELEVANCY SCORE 2.73

    DB:2.73:Tacacs+ Authentication On Juniper Screen Os Using Acs 5.3 pz



    Tacacs  Authentication and Authorization were passed on ACS5.3, but Entering username and password in the security device (Juniper SSG5) gives Access denied, attached is Tacacs cfg.

    set auth-server TACACS+ id 1

    set auth-server TACACS+ server-name 10.10.xx.yy

    set auth-server TACACS+ account-type admin

    set auth-server TACACS+ type tacacs

    set auth-server TACACS+ tacacs secret xxxx

    set auth-server TACACS+ tacacs port 49

    set admin auth server TACACS+

    set admin auth remote primary

    set admin auth remote root

    set admin privilege get-external set auth-server TACACS+ id 1set auth-server TACACS+ server-name 10.10.xx.yyset auth-server TACACS+ account-type adminset auth-server TACACS+ type tacacsset auth-server TACACS+ tacacs secret xxxxset auth-server TACACS+ tacacs port 49set admin auth server TACACS+set admin auth remote primaryset admin auth remote rootset admin privilege get-external

    Please Advice

    DB:2.73:Tacacs+ Authentication On Juniper Screen Os Using Acs 5.3 pz


    You can have max. of 2 SPAN sessions per Cisco device.

    You'll need to remove one of the existing sessions to set up a new one.

  • RELEVANCY SCORE 2.73

    DB:2.73:Attributes For Imported Devices aj



    When I import devices from HPOV, they are added directly into the RME database, however they only have snmp info, no telnet or tacacs info. Is there a way to identlfy newly imported devices and assign them the appropriate device attributes?

    DB:2.73:Attributes For Imported Devices aj


    If you export the database, you can edit the file, and when you reimport them, use the option "Use data from Imported Devices". This will update the devices with any added information or changes that you made. However, if you delete a field, you should enter in the following to indicate that you want it deleted "!{[NOVALUE]}!", otherwise CiscoWorks will leave the field with the old value.

  • RELEVANCY SCORE 2.72

    DB:2.72:Nexus 7000 And Acs Av-Pairs xk



    Dear all,

    I'm having an issue with TACACS+ AAA setup with a Nexus 7000 running 4.2(2a) and ACS 4.2. I've added the av-pair string of shell:roles="network-operator vdc-admin" into the TACACS+ settings under the group custom attributes. When I log in I the login hangswaiting for the custom attribute pair to respond back the switch which it doesn't seem to do and it then dumps me into vdc-operator role and not thevdc-admin role.Can any one give me any additional pointers? Thanks in advance,Col

    DB:2.72:Nexus 7000 And Acs Av-Pairs xk


    One other thing I had to send was TACACSPLUS-Priv-Level = ROOT

    which by the way was not in any manual.  

  • RELEVANCY SCORE 2.72

    DB:2.72:Prime Tacacs Attributes ps



    I'm configuring Prime tacacs+ access. So every login account goes through our ISE deployment for the right authorzation. I got this working for radius but it seems that this configuration doesn't work for tacacs+.

    Radius configuration that works

    ACCESS_ACCEPT

    cisco-av-pair=NCS:role0=Root

    cisco-av-pair=NCS:task26=All

    cisco-av-pair=NCS:task15=Administration Menu Access

    cisco-av-pair=NCS:task52=Help Menu Access

    cisco-av-pair=NCS:task67=Services Menu Access

    cisco-av-pair=NCS:task89=Monitor Menu Access

    cisco-av-pair=NCS:task118=Home Menu Access

    cisco-av-pair=NCS:task138=Reports Menu Access

    cisco-av-pair=NCS:task141=Tools Menu Access

    cisco-av-pair=NCS:task158=Configure Menu Access

    cisco-av-pair=NCS:virtual-domain0=ROOT-DOMAIN

    I only have to give the authorization profile, access to the 'main menu's' it seems to work with task 26 'all' . However, this configuration doesn't work for tacacs+. I also figure out, that the taks numbers have been switched between the different versions of prime. I can't figure out wich taks numbers are correct. The documentation on this part of the configuration is missing in the official guides. Any help would be appreciated

    The goal is to give the user root access in Cisco Prime 1.3, with all levels. But authentication must go through our ISE server deployment, so we can use our own authentication backend (RSA, Active directory)

    DB:2.72:Prime Tacacs Attributes ps


    Hi Christopher,

    You're right. I was searching exactly in the wrong place. Like you said in the first post, that was the place I was searching. So for each Prime version changes are made here.

  • RELEVANCY SCORE 2.71

    DB:2.71:Rme Timing Out On Tacacs+ Connection To Switch 8p



    When checking the device attributes in RME 3.4 to a c3548XL switch that has a TACACS+ login, it comes back with the TACACS+ password is incorrect. I debug the authentication on the switch and see that the connection times out without ever checking the password. I can telnet to the switch and the username and passcode works fine.

    Any help would be appreciated.

    DB:2.71:Rme Timing Out On Tacacs+ Connection To Switch 8p


    Just to give you a heads up, Windows 2000 Service Pack 3 is not currently supported by LMS 2.1

  • RELEVANCY SCORE 2.71

    DB:2.71:Anyone Know Of A Doc Covering Using Acs 5.3 To Control Guest Vlan Using Tacacs? dc



    Hi,

    If anyone could help with this I'd appreciate it.

    I've configured an ACS 5.3 system and all my groups etc fucniton corrcetly both for Network Access and for Device Administration.

    However I'm stuck trying to allow clients to authenticate against the router's web-page i.e. Web-Authenticaiton, using TACACS+ between the router and the ACS5.3.

    I've looked into this and I need to configure a custom-attribute of "service" with type Outbound and link this to an Authorization policy.

    I feel that configuring the Custom Attributes is where I'm stuck.

    Once agin thanks for any help,

    Brian

    DB:2.71:Anyone Know Of A Doc Covering Using Acs 5.3 To Control Guest Vlan Using Tacacs? dc


    Thanks for your suggesiton. As the previous version of ACS was configured with RADIUS I'm being pressed to use that. However thanks for your assistance Tarik.

    Thanks

  • RELEVANCY SCORE 2.69

    DB:2.69:Tacacs For Manegment Users On Aruba Controller Not Matching Vsa cs



    Senario

    Useing TACACS for Mgnt user access I always get root access regardless of what is sent back from CPPM - read-only does not work as it should.

    I have a controller running AOS 6.1.34, Configured for TACACS to auth the mgmt users

    ---------------- AOS config --------------

    aaa authentication-server tacacs "10.254.5.21" host 10.254.5.21 key b8059de7fd5ba7390bf9256f791c9d61d2b11b7e69e07117 session-authorization

    !aaa authentication mgmt server-group "tacacs" enable!

    ---------- end AOS config -------\

    On ClearPass I can see the Auth request hit access tracker and I see that it is useing the standard [Aruba TACACS Read-Only Access] enforcement profile

    for a user that is not an admin I get full access when I log into the controller. When I use an admin account it works as expected

    Questions:

    1. What is the logging to see the Admin user log in and the attributes sent back from ClearPass to confirm that the controller is receivig what Access tracker says is sent.

    2. Did I miss something in the config ?










    Attachments:







    Screen Shot 2014-01-24 at 11.54.28 AM.png ‏136 KB

    DB:2.69:Tacacs For Manegment Users On Aruba Controller Not Matching Vsa cs


    interesting after a reboot of the controller the read-only access restrictions are working

    Before they were not

    but you can see that CPPM is sending back the right VSA - role

    ---------- clip from cli ----------

    (P3Controller1) #show loginsessionsSession Table-------------ID User Name User Role Connection From Idle Time Session Time-- --------- --------- --------------- --------- ------------1 admin root EIA-232 00:00:00 00:00:312 itadmin root 172.16.199.249 00:00:00 00:00:47(P3Controller1) #show loginsessionsSession Table-------------ID User Name User Role Connection From Idle Time Session Time-- --------- --------- --------------- --------- ------------1 admin root EIA-232 00:00:00 00:02:022 engineer read-only 172.16.199.249 00:00:09 00:00:58(P3Controller1) #show loginsessionsSession Table-------------ID User Name User Role Connection From Idle Time Session Time-- --------- --------- --------------- --------- ------------1 admin root EIA-232 00:00:00 00:04:112 test read-only 172.16.199.249 00:00:12 00:00:22(P3Controller1) #

    ---------- end clip ---------

  • RELEVANCY SCORE 2.69

    DB:2.69:Custom Application To Set/Get Tacacs+ Information A User kx



    Hi,

    I have to develop a custom application that sets/gets TACACS+ information for a particular user profile.

    I was able to set values in "TACACS+ Enable Control" form and "TACACS+ Enable Password" form using action code 105.

    But I am not able to set "Use separate password" flag and separate password in "TACACS+ Enable Password" form,

    and TACACS+ Outbound Password . Can somebody give me the actioncodes and show how the entries in accountactions.csv file

    will look for the mentioned operations that is:

    1) to update TACACS+ outbound password, and

    2) to set "Use separate password" flag and separate password in "TACACS+ Enable Password" form

    My next question would be:

    How do we retrive TACACS+ outbound password and attribute values in "TACACS+ Enable Password" form dump.txt

    I was able to retrieve values for attributes in TACACS+ Enable Password" form

    Following is a sample entry in dump.txt for these attributes:

    App01 enable_passwd ESTRING 0x0018 6a 35 9b 76 ce c3 81 9c 6d 1c d5 41 06 1a 4e 07 92 8d 50 06 de d4 2a 89

    App01 max_priv STRING 0,3 (used for attributes in TACACS+ Enable Password" form)

    App01 max_priv_LENGTH INTEGER 3

    I also checked the link:http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.0/user/guide/ag.html

    But I did not find satisfactory information.

    Please reply ASAP, your help will be most appreciated.

    Ravi

    DB:2.69:Custom Application To Set/Get Tacacs+ Information A User kx


    Action code 105 *should* do everything needed to get the enable password set to your value.

    If it doesnt then its a bug in RDBMS sync.

    Passwords in ACS are encrypted and you cant extract them - by design.

    Darran

  • RELEVANCY SCORE 2.68

    DB:2.68:Ace And Tacacs+ Auth 1s



    I'm having to use the free TACACS+ in an environment to configure authentication for all the network devices.  I have all the routers and switches working just fine, but am having issue with getting the ACE to use TACACS.  I've configured ACE to authenticate to an ACS server by adding the additional shell custom attributes (shell:Admin*Admin default-domain) and this worked fine.  I found in some documentation on TACACS+ that described how to add this similar attribute to the tac_plus.conf file, but it doesn't seem to want to work. My aaa config from the ACE as well as the tac_plus.conf file content below.  I know the AAA is working with this TACACS server as the accounting functions properly.

    ACE AAA

    tacacs-server host 10.1.0.202 key 7 removed aaa group server tacacs+ TAC_AUTH  server 10.1.0.202

    !

    aaa authentication login default group TAC_AUTH local

    aaa authentication login console group TAC_AUTH local aaa accounting default group TAC_AUTH local

    tac_plus.conf

    #----------------------------------------------------------------------## Accounting Logs#----------------------------------------------------------------------#accounting file = /data/tacacs.log

    #----------------------------------------------------------------------## Server Key#----------------------------------------------------------------------#key = removed

    #----------------------------------------------------------------------## ACL#----------------------------------------------------------------------#acl = auth_routers {                      permit = .*}

    #----------------------------------------------------------------------## Groups#----------------------------------------------------------------------#group = admin {

        login = file /etc/passwd    acl = auth_routers

        service = exec {                     optional shell:Admin = "Admin default-domain"                   }

    }

    #----------------------------------------------------------------------## Users#----------------------------------------------------------------------#

    user = admin1 {     default service = permit     member = admin }

    user = admin2 {     default service = permit     member = admin }user = admin3 {     default service = permit     member = admin }

  • RELEVANCY SCORE 2.68

    DB:2.68:Acs 5.3.40.1 Bulk Edit Problem With Some Wcs Attributes 38



    Hi there

    I just wanted to import the WCS TACACS+ SuperUsers attributes on ACS 5.3.40.1 via the new bulk edit feature. If I trye the following attributes and click submit, my admin user is logged out of the web GUI and the changes are not saved:

    task13=View Alerts and Events

    task15=Delete and Clear Alerts

    task16=Pick and Unpick Alerts

    task17=Ack and Unack Alerts

    Seems to be a bug. Does anybody confirm this?

    Best regards

    Dominic

    DB:2.68:Acs 5.3.40.1 Bulk Edit Problem With Some Wcs Attributes 38


    I have installed and I can now enter the rest of the values. Thanks.

  • RELEVANCY SCORE 2.68

    DB:2.68:Prime 7d


    Does HSBC have a prime card?

    DB:2.68:Prime 7d

    fused111 wrote:As a general rule Amex, Discover, CITI, Chase and BoA are commonly thought of as prime. However, each of these has sub-prime offerings. Amex was the latest to test these waters and I suspect Discover will follow suit. There have been some recent posts on Discover approvals with scores in the mid to high 600's and that was unheard of a year or two ago. Strange isn't it that the mortgage and CC industries are moving in opposite directions.Nice observation. It would appear that they are moving in opposite directions. Figures are totally different but you make a good point.

  • RELEVANCY SCORE 2.68

    DB:2.68:Cisco Prime Authorization 87



    I have an ACS 4.2 server running - and it points to a remote ldap database.

     

    aaa for our devices points to this tacacs server.  i tried to setup prime infrastructure to do the same, but i keep getting the authentication working, but then an error msg for the authorization prevents me from going further. 

     

    i realize i can locally setup a user on PI - and give them admin status etc, but i'd really like to simply have PI point to our ACS and authenticate and authorize each user.  i don't want to have to set (or reset) a p/w for our admins to use Prime. 

     

    is this possible?

     

    Thanks. 

    DB:2.68:Cisco Prime Authorization 87


    Cisco has phased out use of an external server for authorization within the application. This used to be available with LMS 3.x but no longer is offered.

    Currently all of the role-based authorization control (RBAC) for PI users has to be done locally on the server and cannot be derived from the roles defined in your ACS server. 

  • RELEVANCY SCORE 2.68

    DB:2.68:Aaa Role Based In Nexus xa



    I am using ACS 5.2 and attempting to authorize users through TACACS to Nexus 5.1 code.  I seem to have ACS setup correctly based on documentation I received through here.  The problem is that the NX/OS doesnt seem to be operating as expected.  I performed a debug on the Nexus and received the following output:

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin:0in;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}

    2011 Feb  8 07:04:23.227576 tacacs: tplus_decode_author_response: Attributes count 3

    2011 Feb  8 07:04:23.227585 tacacs: tplus_decode_author_response: attribute 0 idletime=15

    2011 Feb  8 07:04:23.227596 tacacs: tplus_decode_author_response: attribute 1 priv-lvl=15

    2011 Feb  8 07:04:23.227606 tacacs: tplus_decode_author_response: attribute 2 roles=Network-Admin        

    2011 Feb  8 07:04:23.227931 tacacs: tplus_getroles(1937)Feature privilege: Disabled

    2011 Feb  8 07:04:23.227959 tacacs: tplus_getroles(1957): privilege level 15, corresponding role is: network-admin

    2011 Feb  8 07:04:23.227971 tacacs: tplus_decode_author_response: privilege level 15 is specified and corresponding role is network-admin

    2011 Feb  8 07:04:23.228007 tacacs: AAA_RESP: status=2, av_count=2, ctx_len=294, server_msg_len=0, server_data_len=0

    2011 Feb  8 07:04:23.228020 tacacs: AAA_RESP: 0 th attribute network-admin

    2011 Feb  8 07:04:23.228029 tacacs: AAA_RESP: 1 th attribute XX.XXX.XX.XX

    2011 Feb  8 07:04:23.228039 tacacs: tplus_decode_author_response: exiting for aaa session: 0

    Yes - in this scenario I do get put into Network-Admin role but that is based on priv and not the roles AV setting.  This is important because I have other roles that need assigning (ie VDC-Admin and "READ_CONFIG" which is adding through the CLI)

    So I figured that setting the Privilege level was causing my problem and reran the same test:

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin:0in;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}

    2011 Feb  8 07:10:24.052767 tacacs: tplus_decode_author_response: entering for aaa session: 0

    2011 Feb  8 07:10:24.052788 tacacs: tplus_decode_author_response: Attributes count 2

    2011 Feb  8 07:10:24.052797 tacacs: tplus_decode_author_response: attribute 0 idletime=15

    2011 Feb  8 07:10:24.052808 tacacs: tplus_decode_author_response: attribute 1 roles=Network-Admin        

    2011 Feb  8 07:10:24.052825 tacacs: tplus_decode_author_response: privilege level is not specifiedor if specified, roles has been given priority

    2011 Feb  8 07:10:24.052855 tacacs: AAA_RESP: status=2, av_count=1, ctx_len=294, server_msg_len=0, server_data_len=0

    2011 Feb  8 07:10:24.052867 tacacs: AAA_RESP: 0 th attribute XX.XXX.XX.XX

    2011 Feb  8 07:10:24.052876 tacacs: tplus_decode_author_response: exiting for aaa session: 0

    But as you can see in the debugs neither works as expected.  I am trying to determine if this is a simple config that I am missing or do I need to open a TAC case to be looked at as a bug?

    AAA/TACACS config:

    aaa authentication login default group TACACS-Servers aaa accounting default group TACACS-Servers aaa authentication login error-enable

    feature tacacs+

    tacacs-server host XX.XXX.XX.XX key REMOVEDaaa group server tacacs+ tacacs aaa group server tacacs+ TACACS-Servers     server XX.XXX.XX.XX    use-vrf management

    Any help would be appreciated.

    DB:2.68:Aaa Role Based In Nexus xa


    Hello Matthew,

    I'm also blocked by this kind of custom attributes.

    We are migrating from TACACS 4.1 to 5.2, but the fields Custom Attributes Shell Exec have disapeared.

    In attachment, I've put 2 screenshot.

    The config for v4.1 is running, but it's impossible for me to have this config well working on the v5.2.

    In 4.1, in user creation/edition, we check the "Shell (exec)" checkbox, then the "Custom attributes" checkbox, and put one or several lines of parameters.In my exemple, for Nexus, the working line for v4.1 is the following :
    shell:roles*network-admin

    On TACACS 5.2, I've add a new field in User attributes by going into :

    System Administration - Configuration - Dictionaries - Identity - Internal Users

    Create = and I've tried several configurations of Attribute names and values, but without success.

    Parameter name (Attribute)       Value==========================================================shell:roles                      network-adminshell:roles                      *network-admin

    Custom attributes                shell:roles*network-adminshell                            shell:roles*network-adminshell                            roles*network-adminroles                            network-admincisco-av-pair*shell:roles        network-admin

    cisco-av-pair*shell              roles*network-admin

    cisco-av-pair                    shell:roles*network-admin

    Whatever the parameter I set, result is always the same when I perform a sh user-account on Nexus ...

    Nexus# sh user-accountuser:em739        roles:vdc-operatoraccount created through REMOTE authenticationCredentials such as ssh server key will be cached temporarily only for this user accountLocal login not possible

    The good results (like with v4.1) should be :

    Nexus# sh user-accountuser:em739        roles:network-adminaccount created through REMOTE authenticationCredentials such as ssh server key will be cached temporarily only for this user accountLocal login not possible

    Have you find a solution for your problem ?

    Thank you very much.

    Fred.

  • RELEVANCY SCORE 2.68

    DB:2.68:Tacacs xx



    Hi,

    I tried to install TACACS in VRF enable VPN site but the same is not working.

    aaa authentication login default group tacacs+ line

    aaa authentication login no_tacacs line

    aaa authorization exec default group tacacs+ if-authenticated

    aaa authorization commands 0 default group tacacs+ if-authenticated

    aaa authorization commands 1 default group tacacs+ if-authenticated

    aaa authorization commands 15 default group tacacs+ if-authenticated

    aaa accounting exec default start-stop group tacacs+

    aaa accounting commands 0 default start-stop group tacacs+

    aaa accounting commands 1 default start-stop group tacacs+

    aaa accounting commands 15 default start-stop group tacacs+

    aaa accounting network default start-stop group tacacs+

    ip tacacs source-interface VLAN1

    tacacs-server host X.X.X.X

    tacacs-server host 10.10.10.4

    tacacs-server key 7 ####################333

    tacacs-server administration

    login authentication no_tacacs

    aaa group server tacacs+ tacacs1

    server-private 10.10.10.4 key ############

    ip vrf forwarding LAN

    ip tacacs source-interface VLAN1

    DB:2.68:Tacacs xx


    Hi,

    I tried to install TACACS in VRF enable VPN site but the same is not working.

    aaa authentication login default group tacacs+ line

    aaa authentication login no_tacacs line

    aaa authorization exec default group tacacs+ if-authenticated

    aaa authorization commands 0 default group tacacs+ if-authenticated

    aaa authorization commands 1 default group tacacs+ if-authenticated

    aaa authorization commands 15 default group tacacs+ if-authenticated

    aaa accounting exec default start-stop group tacacs+

    aaa accounting commands 0 default start-stop group tacacs+

    aaa accounting commands 1 default start-stop group tacacs+

    aaa accounting commands 15 default start-stop group tacacs+

    aaa accounting network default start-stop group tacacs+

    ip tacacs source-interface VLAN1

    tacacs-server host X.X.X.X

    tacacs-server host 10.10.10.4

    tacacs-server key 7 ####################333

    tacacs-server administration

    login authentication no_tacacs

    aaa group server tacacs+ tacacs1

    server-private 10.10.10.4 key ############

    ip vrf forwarding LAN

    ip tacacs source-interface VLAN1

  • RELEVANCY SCORE 2.68

    DB:2.68:Customize Lobby Ambassador View ca



    Hi all,

    I have a problem with the following situation:

    - Cisco Prime Infrastructure 2.0 (2.0.0.0.294)

    - Cisco ACS 5.4 (5.4.0.46.0a)

    - 2x Cisco WLAN Controller 5508 in SSO mode

    - x APs 2600 Series

    All devices are configured properly, I can see the WLC on Prime, etc.

    Prime and WLC are added to ACS for TACACS+ Authentication.

    Admin users are able to login to Prime with full feature set (root permission).

    Lobby Ambassadors can also login to Prime for Guest User creation.

    Therefore I have created two Shell Profiles on ACS.

    Now I want to create WLAN Guest User with Lobby Ambassador Account (TACACS-authenticated!).

    I want to customize the Default Guest User Creation page with a company logo and some default settings (WLAN Profile, Apply to Controller List, set "generate password" to fixed, etc.) to fixed values.

    Only thing what Lobby Ambassador can change should be setting the password period (with hours or using calender), guest user name and description.

    If I configure a local user on Prime, I can customize the page.

    However if I use TACACS user, I am not able to use the customized page.

    Can anybody help me with this issue?

    THANKS a lot!!!!

    edit: problem solved by workaround...

    https://supportforums.cisco.com/thread/2201703

    BR, Stefan

    DB:2.68:Customize Lobby Ambassador View ca


    Hi all,

    I have a problem with the following situation:

    - Cisco Prime Infrastructure 2.0 (2.0.0.0.294)

    - Cisco ACS 5.4 (5.4.0.46.0a)

    - 2x Cisco WLAN Controller 5508 in SSO mode

    - x APs 2600 Series

    All devices are configured properly, I can see the WLC on Prime, etc.

    Prime and WLC are added to ACS for TACACS+ Authentication.

    Admin users are able to login to Prime with full feature set (root permission).

    Lobby Ambassadors can also login to Prime for Guest User creation.

    Therefore I have created two Shell Profiles on ACS.

    Now I want to create WLAN Guest User with Lobby Ambassador Account (TACACS-authenticated!).

    I want to customize the Default Guest User Creation page with a company logo and some default settings (WLAN Profile, Apply to Controller List, set "generate password" to fixed, etc.) to fixed values.

    Only thing what Lobby Ambassador can change should be setting the password period (with hours or using calender), guest user name and description.

    If I configure a local user on Prime, I can customize the page.

    However if I use TACACS user, I am not able to use the customized page.

    Can anybody help me with this issue?

    THANKS a lot!!!!

    edit: problem solved by workaround...

    https://supportforums.cisco.com/thread/2201703

    BR, Stefan

  • RELEVANCY SCORE 2.68

    DB:2.68:Ciscoworks2000 With Catalyst 6000 V.8.2 9x



    I have upgraded my Catalysts 6000 to 8.2 and now I have to press a key before my login banner appears. I found the Bug number in this forum : CSCed45576.

    The problem is now CiscoWorks(RME 3.5) can't access my switchs using TACACS.

    I verified my password in RME/Admin/Inventory/Check devie attributes, but it still says :

    TACACS : INCORRECT.

    Only the switchs I upgraded to 8.2 can't communicate with CW.

    Is the Bug the problem ? Is there a patch in CW to fix it ?

    Thanks

    DB:2.68:Ciscoworks2000 With Catalyst 6000 V.8.2 9x


    Thanks for the bug ID, it seems to be my problem.

    Do you know which patch in CW can resolve my problem ?

  • RELEVANCY SCORE 2.67

    DB:2.67:Tacacs-Server Command Question z9



    What is the diffrence between the following commands?

    tacacs-server host 10.10.10.10 single-connection key test01

    - and -

    tacacs-server host 10.10.10.10 single-connection

    tacacs-server key test01

    DB:2.67:Tacacs-Server Command Question z9


    Hi,

    In the first method you are defining the shared secret key per tacacs server. However using the second method, you can go ahead and define multiple tacacs servers and use the same key. This is just a method to prevent redundancy and typo. e.g:

    tacacs-server host 1.1.1.1 single-connection

    tacacs-server host 12.12.12.12 single-connection

    tacacs-server key test101

    in this example both the tacacs servers would use the key test101.

    However if we configure the tacacs servers as:

    tacacs-server host 1.1.1.1 single-connection key test

    tacacs-server host 12.12.12.12 single-connection

    tacacs-server key test101

    the tacacs server 12.12.12.12 would use the key test101 however the tacacs server 1.1.1.1 would use the key test, as explicitly defined key would take precendence over the global key.

    So just two different methods to define the tacacs server

    Regards,

    Kush

    Cisco PDI Helpdesk

  • RELEVANCY SCORE 2.66

    DB:2.66:Prime Infra Insecure Radius Options da



    Has anyone out there realized that Cisco Prime only provides insecure means to configure and use RADIUS? Please correct me if I am wrong.

    You have two options for authentication types in Prime; PAP or CHAP. PAP transmits unencrypted ASCII passwords over the network. CHAP is a good alternative and more secure than PAP. However in Prime, in order to use CHAP, you must enable the password security setting for reversible password encrytption (Windows SettingsSecurity SettingsAccount PoliciesPassword Policy).

    From my research enabling this setting is very insecure and against MS best practices. Thus, it would seem that we are in between a rock and a hard place when it comes using RADIUS for Prime. We can either use PAP and have everything transmitted in the plain or set our GPO settings to store our passwords in an insecure manner. Either way the attack vector exists and can be easily exploited.

    The other options are using TACACS+ or an SSO server both which require an additional purchase.

    DB:2.66:Prime Infra Insecure Radius Options da


    Has anyone out there realized that Cisco Prime only provides insecure means to configure and use RADIUS? Please correct me if I am wrong.

    You have two options for authentication types in Prime; PAP or CHAP. PAP transmits unencrypted ASCII passwords over the network. CHAP is a good alternative and more secure than PAP. However in Prime, in order to use CHAP, you must enable the password security setting for reversible password encrytption (Windows SettingsSecurity SettingsAccount PoliciesPassword Policy).

    From my research enabling this setting is very insecure and against MS best practices. Thus, it would seem that we are in between a rock and a hard place when it comes using RADIUS for Prime. We can either use PAP and have everything transmitted in the plain or set our GPO settings to store our passwords in an insecure manner. Either way the attack vector exists and can be easily exploited.

    The other options are using TACACS+ or an SSO server both which require an additional purchase.

  • RELEVANCY SCORE 2.65

    DB:2.65:Acs5.0 And Wcs 18



    I'm trying to see if its possible to use ACS 5 patch 8 to authenticate WCS.

    Looking at the ACS 5.0 gui I'm looking at where you would enter the tacacs+ or radius custom attributes. From doing some configuration it would seem that the tacacs+ custom attributes are not available but I found where you can enter the radius attributes but the cisco-av pair is a string filed that is one line and limited to 256 characters. Is anyone else trying to do this?

    DB:2.65:Acs5.0 And Wcs 18


    Hi,

    Under Shell Command Authorization mark [ciscowlc common] and [Custom attributes]

    In Custum attributes apply following : role1=all

    Regards Kim

  • RELEVANCY SCORE 2.65

    DB:2.65:Tacacs+ k1



    How to implement TACACS+ security on my network

    DB:2.65:Tacacs+ k1

    Tacacs+ (Terminal Access Controller Access Plus) is a protocol that implements scalable AAA security solution for a network. You can install and configure Tacacs+ server to manage access to your network resources for every type of user (packet and char. mode).

    Cisco has two products that implements tacacs+. One is Cisco secure and other is a unix tacacs+ deamon available free of cost but unsupported by cisco. Cisco secure is latest product with new feautres, easy GUI based configuration and its also supported by cisco.

    For more information about tacacs+ read Cisco IOS security configuration guide available on CCO.

  • RELEVANCY SCORE 2.64

    DB:2.64:Cisco Prime 2.0 - Cli Credential c1



    Hi PI Experts,

    Is CLI credential mandatory on Cisco Prime?

    What would happen if no dedicated CLI credential were configured on Prime to access Cisco network devices?

    Right now we use TACACS+ to login to Cisco switches and routers and use Radius to login to PI.

    However, our security policy prevents us from either creating a AD account on AD servers or creating a local TACACS+ user account on ACS server for PI appliance.

    So, when we do device discovery, if we want to use SSH/Telnet, we need to put in our own AD user credentials, then remove them after the discovery is done.

    Thanks

    Cedar

  • RELEVANCY SCORE 2.63

    DB:2.63:Acs 5.2 Custum Attributes xf



    Hi everybody

    Speaking generally I have question about tacacs + custum attributes, On ACS 4.2 the custom attribute is written for cisco CRC. But on ACS 5.2 has deferent attributes and how I can configure on ACS 5.2 custum attributes.

    Thank you for helping!!!

    DB:2.63:Acs 5.2 Custum Attributes xf


    Thank you for helpling Jatin. A lot

    if i have on acs 4.2

    task*#cisco-support,#root-system

    how can i write this on ACS 5.2 ?

  • RELEVANCY SCORE 2.63

    DB:2.63:Cisco Nexus Tacacs Username Anomaly kc



    Hi,

    I observed that the Cisco Nexus is not accepting TACACS authentication with usernames completely in numerics. Have any of you faced similar problem? Most of our tacacs usernames are our employee id (not AD) and unable to login. I've followed the procedure exactly in the link below. Currently we are administering the switch with generic tacacs user-ids which have only alphabets. I wanted to know if there are any additional custom attributes specific for Nexus to accept numeric characters in the username.

    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080af7d1d.shtml

    Rgds, VJ

    DB:2.63:Cisco Nexus Tacacs Username Anomaly kc


    Hi,

    Thanks for the reply.

    I was able to get to the correct page where it states that all numerical usernames are not allowed.

    http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli_rel_4_0_1a/sec_rbac.html#wp1258819

    We are running 4.1(3)N1(1). I have checked the online documentation, even the latest 5.0(2) release doesn't support all numeric usernames.

    Rgds, VJ

  • RELEVANCY SCORE 2.63

    DB:2.63:How To Set Ucs Locales Using Radius/Tacacs+ Attributes 7k



    I know how to set a remotely authenticated/authorized users Role using the Radius av-pairs with UCS.

    What Radius attribute/av-pair syntax is needed to set the users Locale within UCS?

    I have tried shell:roles="role@locales" and shell:locales="locale name" with no success.

    DB:2.63:How To Set Ucs Locales Using Radius/Tacacs+ Attributes 7k

    Just a FYI to those out there trying to get Locales in UCSM working with with Cisco ACS 5.x.  The attached image is the method to create the proper shell profile attribute values for locales support in UCSM with TACACS+ as the authenication domain.  Vincent above also has it right on the priviledges available with locales support.

    I am using the Manditory requirement as this shell profile is only used on Cisco UCS Devices.

    I hope this saves someone a lot of frigging around! :-)

    Jim

  • RELEVANCY SCORE 2.63

    DB:2.63:Tacacs Error 98



    Issue has been solved

    DB:2.63:Tacacs Error 98


    Hi Senthi,

    Check ur tacscs source interface and do try to ping tacacs server with the source ip.

    Also if this is not reachble then check the routing for server ip. Also if you are getting ping reply back then do use following commands...

    debug tacacs

    And check port number 49 is open or not if this is not open then check ur server for further testing.

    Regards

    Amit

    *******Please rate if it is helpful********

  • RELEVANCY SCORE 2.63

    DB:2.63:Webvpn Auth Tacacs+ Proxy To External Odbc 13



    Hi Cisco,

    We have successfully setup a Cisco ASA hosting SSLVPN portal for login which then points to TACACS+ ACS v3.0 for authentication.

    For an easier login account management within the IT department, we want to now proxy the authentication from TACACS to an external SQL db ODBC as this existing database server is currently storing all existing login username and password for other internal products and services, hence reducing multiple login accounts for one user.

    For example, works similar to RADIUS:

    u/n: cisco@mydomain.com

    p/w: cisco

    TACACS receives the username, searches for policy/attributes according to the username in the TACACS, strips the @mydomain.com and sends it to ODBC connector "SQL db" for usnername "cisco" and p/w cisco authentication.

    If we can produce a solution using ODBC to connect from TACAC to SQL server we are only to manage the one server for login account (external SQL Server), instead of having to manage multiple platform; TACACS for login and also another SQL db.

    Please assist with a URL or suggestions on setting up TACACS+ to integrate with SQL db server.

    I hope it makes sense.

    Thanks again

    Peter

    DB:2.63:Webvpn Auth Tacacs+ Proxy To External Odbc 13


    Hi Cisco,

    I have finally found the solution. Thanks to Cisco.com as always.

    If any one is using the same set, here are the links FYI:

    ACS v3.0

    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008007dec4.html#1835

    External ODBC Authentication

    http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/exatu_wp.pdf

    Thanks

  • RELEVANCY SCORE 2.62

    DB:2.62:How To Configure Centralized Administrator Authentication At An Ap350 k1



    i can't configure Centralized Administrator Authentication at an AP350.

    i tried to configure with tacacs+ ( Version F4.0.4.alpha on SunSolaris) which well worked with IOS, but for the AP350 the tacacs+ server generates an AUTHEN/FAIL (supports the AP350 tacacs+ or only tacacs?). The second i tried is to use RADIUS with ACS3.0(2) Build5. The ACS generates an Access Accept, but the AP350 generates an Access Denied (which RADIUS-Attributes are necessary???)

    DB:2.62:How To Configure Centralized Administrator Authentication At An Ap350 k1


    Hi Nilesh,

    your solution works well, thanks. But how can i find this answer at the CCO??

  • RELEVANCY SCORE 2.62

    DB:2.62:Anyconnect Aaa - Determine Group Policy With Radius Or Tacacs+ 3c



    We've got a 5510 SecPlus (actually a pair) and I'm configuring new active directory backed VPN services using Aruba Clearpass Policy Manager. CPPM lets me send arbitrary tacacs or radius attributes based on the LDAP attributes in AD. So what I'd like to know is: can I configure the Connection Profile to assign a group policy dynamically based on what the auth server kicks back?

    I'm fairly certain I could map certain users to certain connection profiles and have my users select the appropriate connection profile from the drop down, then restrict access to each connection profile with clearpass. It'd be much more elegant if I could have a single connection profile with a dynamically selected group policy.

    ASA 8.0.2

    DB:2.62:Anyconnect Aaa - Determine Group Policy With Radius Or Tacacs+ 3c


    Well connection profile can be assisned dynamically from radius server with backend database as AD/LDAP?

    What protocol are you using between ASA and Authentication server?

    Can you reply with ASA's running configuration?

    Do update what authentication server are you using, aruba?

    ~BR Jatin Katyal **Do rate helpful posts**

  • RELEVANCY SCORE 2.62

    DB:2.62:Check Device Attributes Always Show Inorrect In Telnet And Local 39



    The check device attributes always show 'incorrect' the telnet and local user fields. The device is configured with aaa using tacacs+ and local. Telnet password and local username and password were input correctly both in the device and the check device attributes fields.

    Any idea why this happens?

    Thanks....

  • RELEVANCY SCORE 2.62

    DB:2.62:Granular Tacacs User Access In Wcs a7



    We have WCS configured to authenticate with ACS(TACACS). Is it possible to set the TACACS user profiles to access specific controllers and specific maps on the WCS server?

    In that case what are the custom attributes to use to make that work?

    Thanks!

    DB:2.62:Granular Tacacs User Access In Wcs a7


    for specific controllers you can make use of Network Access Restriction (NAR)

    What do you mean by specific maps?

    You restrict a device by NAR and further if you want restrict something within a device you make use of command authorization

  • RELEVANCY SCORE 2.62

    DB:2.62:Backup Running-Config Cisco Prime Dcnm 6 8p



    Have configured DCNM to backup daily the running config starup. After I enabled the feature tacacs + The DCNM stopping backing up. But  when I logon as  the switch with the User created in tacacs_plus he can log in and run the command privilege 15 on the switch.

    Someone would laguma idea how to solve this?

    Thanks

    DB:2.62:Backup Running-Config Cisco Prime Dcnm 6 8p


    resolved!!

    was necessary to add these attributes

    Under the Custom Attributes tab, enter these values:

    Attribute: cisco-av-pair

    Requirement: Mandatory

    Value: shell:roles*"network-admin vdc-admin"

  • RELEVANCY SCORE 2.61

    DB:2.61:Tacacs+ For Non-Cisco Devices 7a



    Can we use Cisco secure ACS authentication for non-cisco devices? If yes, how to configure vendor specific attributes...........

    DB:2.61:Tacacs+ For Non-Cisco Devices 7a


    It's not really a matter of whether ACS supports this, but whether your non-cisco device does. ACS simply receives TACACS packets from external devices and acts upon them accordingly, so if the non-Cisco device can send TACACS packets to ACS then it should all work fine. You would have to check with your vendor to sdee if they support TACACS.

    Keep in mind ACS is also a Radius server and pretty much any vendor will support Radius. If you want to do command authorization/accounting though you have to use TACACS.

    You can configure vendor specific attributes here:

    http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/ae.htm#wp365540

  • RELEVANCY SCORE 2.61

    DB:2.61:Rme 3.5 - Check Device Attributes Doesnt Work With Ssh Devices s3



    When 'Check Device Attributes' is run on any SSH enabled device, the 'Check Device Attributes' window incorrectly displays the TACACS and TACACS enable attributes as 'failed.'

    Some points:

    1) Server ConfigAbout ServerApplications and Versions  --- output attached.

    2) This is a CatOS only environment, symptoms seen with these devices - don't know if it'd be same with IOS devices.

    3)Screenshot of "Check Device Attributes" - attached.

    4) When SSH disabled and access is via Telnet, the problem doesn't occur.

    Any ideas why we are seeing the failed status with only SSH?

    DB:2.61:Rme 3.5 - Check Device Attributes Doesnt Work With Ssh Devices s3


    The funcionality was never there to begin with RME 4.0. We only had SSH support for config management (and even then, it was SSHv1 only). LMS 2.2 is over three years old, and needed backend functional changes to add support for newer security features such as system-wide SSH and SNMPv3.

    The main reason we called LMS 2.5, "2.5" instead of 3.0 as so that we could offer free upgrades to those with LMS 2.2 support contracts. If you are entitled to such an update, you can go to http://www.cisco.com/upgrade/ , put in your contract number, and order the CDs right there.