Recently install ACS 220.127.116.11.8 and setup ACS for device Administration using TACACS+.
Everything works as expected; ACS intergrated correctly with end points, local users can auth onto end point correctly though AAA.
Debug on end points shows successful AAA comms to ACS.
Now I'm at the point to remove all local users in ACS and intergrate ACS with AD.
I setup the external store AD section with the correct domain name and added the AD user (the AD service account had domain admin rights)
I clicked 'test connectivity' button and got a successful connection first go.
I setup the AD section to link to 2 AD groups.
Now I run into a brick wall.
I cannot seem to authenticate an AD user for AAA access onto a router or switch using telnet.
I check the logs and noticed that it says 'unknown user' and the store its using says 'internal store'
I have set the identity store sequence to be AD first then local but ACS still does not seem to check against the external store.
I'm not sure if I should be setting up ACS to AD group mappings, if this will have any effect, like it did in 4.2
I'm also unsure as to how the rule set should be changed in my access policies; e.g. do I need to click the customize button and add in a new policy element. And then rewrite the rules to exclude local groups and include AD groups, so as to get ACS to perform user lookup against the external AD store.
If anyone can point be the the right direction, would be greatly appreciated.. or
if someone could please point me towards a step guide as to how to correctly setup ACS to intergrate into AD for tacacs device admin this would also help.
Did you notice the tacacs authentication logs in AAA protocol logs > tacacs authentication? Do you see "internal error in ACS/AD"? You need to apply patch 9 (5-0-0-21-9.tar.gpg ), there is some issue with 18.104.22.168 and AD authentication.
You can download the patch from below listed link:
Go to Cisco.com > support > download software > Security > Cisco Secure Access Control System 5.0 > Secure Access Control System Software > click on 22.214.171.124
HOW TO APPLY PATCH ON ACS 5.0
Go to the CLI mode of this ACS
–Create a repository (it’s basically defining FTP server)
AAA/admin(config)# repository FTP ---> (could be any name)
After that place the patch on the ftp server.
AAA/admin# acs patch install
repository ftp from here it will stop the services, apply the patch and start the services again.
We can check the version status using AAA51/admin# show application version acs
You can also go through the read me file.
I am not familiar with any issue resolved in patch 9 related to TACACS+ authentication with AD
One thing to check to be 100% sure
You need to make sure that you changed the identity source that is the result for the identity policy to be the identity sequence you defined
If you are using the predefiend device admin service, this can be changed at the following link:
Access Policies > Access Services > Default Device Admin > Identity
Press the "Select" button and select the identity sequence as the identity source to handle the autthentication requests
Otherwise the best way to trouble shoot is to go to:
Monitoring & Reports > Reports > Catalog > AAA Protocol > TACACS+ Authentication
Selecting the details icon can give a step-by-step detail of the request processing
as was mentioned previously
Thanks but I have resolved the problem by upgrading the appliance to 5.1
There is a bug in the 126.96.36.199.8 code that prevents a user from see the 'Identity Source' selection box from the section
Access Policies > Access Services > (Device admin policy name) > Identity
(See attached picture)
Apon upgrading the Appliance, and extra selection box was now visible, allowing my to choose either internal stores, external stores or my Identity Store Sequence policy.
Tested and now works well with AD.
Your probably correct, although I was swapping between FF and Safari (mac).
I did notice that certain windows would crash using FF and would use Safari for item dragging from one selection box to another.
I swapped and changed browsers so much that I cannot recall 100% if I did or did not see that selection box in Safari.
I did have a colleague with me working on this problem and upgrade,.... he only uses safari and does not have FF installed (on his mac) and he thinks that it wasn't available for him either. ......we cannot confirm it now that we have upgraded.
thanks for your support