topic Using AD credential for device management. in Network Access Control

Using AD credential for device management.

yong khang NG — Mon, 11 Mar 2019 01:42:33 GMT

Hi ,

I trying to set the identity source to use Active Directory's reside credential as the method for authentication.

Connection between AD and ACS was establish and connected.

Problem statement:-

The moment i trying to telnet from remote site, i able to proceed on first state username-password authentication, but once come to enable password, it prompt me authentication failure even with the right password.

The error log for this case is "13029 Requested privilege level too high"

If i switch the identity source to local it won't have such problem.

Platform for these case is

- C6500 with IOS 12.2(33) SXJ1

- ACS 5.2.0.26

So, at ACS, i set the identity store at access policies > access_name > identity

For Device administration > shell profile in use setting the default privilege and maximum privelege to value 15. The name of sthe shell profiles is "full_privilege"

Below is my switch config snipet:-

aaa group server tacacs+ TAC_PLUS

server name AUTH

tacacs server AUTH

address ipv4 10.10.21.251

key xxxxxxxx

aaa authentication login TAC_PLUS group tacacs+ local

aaa authentication enable default group TAC_PLUS none

aaa authorization exec TAC_PLUS group tacacs+ if-authenticated

aaa authorization commands 15 TAC_PLUS group tacacs+ local

aaa authorization network TAC_PLUS group tacacs+ local

aaa accounting update periodic 1

aaa accounting exec TAC_PLUS start-stop group tacacs+

aaa accounting network TAC_PLUS start-stop group tacacs+

aaa accounting connection TAC_PLUS start-stop group tacacs+

please advice, thanks

Noel

Using AD credential for device management.

camejia — Wed, 11 Jan 2012 17:39:11 GMT

Hello,

As you mentioned that it works fine for Internal ACS Users, can you check the Authorization Condition you have in order to return Privilege Level 15 for the users?

For example, if Internal Users ID Store works fine then the Authorization Condition might be pointing to an Internal ACS Attribute Condition like Identity Groups.

When changing to AD then the Identity Group rule might not be matched, therefore, getting to the Default Deny Access rule.

Please check the Authorization rules for the appropriate Access Service and confirm that a valid rule is created for AD users as well in order to return the appropriate privilege lever.

Hope this helps.

Regards.

Using AD credential for device management.

yong khang NG — Thu, 12 Jan 2012 11:43:26 GMT

Hi,

Sorry for late reply. I am staying at GMT+8 timezone, i guess there's a gap of time matter.

As you request, i attact the snapshot for you to refer.

On the switch the aaa config can found from above thread.

Million thanks !!!!!

Noel

Using AD credential for device management.

yong khang NG — Fri, 13 Jan 2012 04:32:31 GMT

Hi Mejia,

You reply is the right answer, i create another rule and lookup usisng AD external group for authentication.

Thanks for your advice

Noel

Using AD credential for device management.

Juan Carlos Arias Perez — Mon, 16 Jan 2012 23:10:53 GMT

Hi Noel, I have a similar problem as yours, I'm trying to fix with your comments but I have a doubt, could you please paste a print screen of your Access Policies profile named "Device Admin", I appreciate a lot your help.

Regards,

Juan Carlos