But above you said to enter

WILLIAM BAUER · ‎04-24-2014

I'm moving our ACS from 4.2.1 to 5.5 and I'm not having problems with most of it. In fact, I like most of the changes in ACS 5.5. One thing I'm stumped on (for now).

In ACS 4.2.x, we can create a user, have that user authenticate with AD, LDAP, internal, whatever. We can do that in 5.5 as well. The difference is that on ACS 5.5, if the user is configured to authenticate with other than an internally configured password, the "enable password" boxes are greyed out. Seems the system forces the user to use the same password for the enable password on a switch/router/whatever.

Is there a way in ACS 5.5 to manually enter a unique enable password for a user, yet allow that user to authenticate via an external source? As in ACS 4.2? It could be I just haven't found the workaround yet.

Hope that's clear.

WILLIAM BAUER · ‎04-24-2014

Oh yeah. I have the most recent patch installed, 5.5.0.46.2

Jatin Katyal · ‎04-24-2014

Hi Wbauer,

You may point user login authentication to external identity store like AD, LDAP etc and enable authentication to locally configured enable password on ACS. I had answered this query before here

Hope this helps.

Regards,

Jatin Katyal

*Do rate helpful posts*

~Jatin

WILLIAM BAUER · ‎04-25-2014

Thanks for the response, but I'm afraid I don't quite understand your solution. I think some of the grammar in the response is tripping me up.

The user's ACS enable password is disabled for entry if the user is configured to authenticate with an external source, so where exactly is the enable password defined on ACS? The screenshot and explanation in the solution doesn't make that at all clear to me.

Jatin Katyal · ‎04-25-2014

The user should be present in both the databases (ACS internal and Active directory). You need to select the internal database while creating a user. The login password could be anything because it's not gonna check.

User login: XXXX

Password: XXXX -----> This password will be checked against the external identity store like AD.

>enable

password: XXXX ----> This password with be checked against ACS internal database.

In those screen shots you will see an option to select the identity source.

hope this adds little more clarification.

Regards,

Jatin Katyal

*Do rate helpful posts*

~Jatin

WILLIAM BAUER · ‎04-28-2014

I understand all of that, but as I've said, if I select anything other than "Internal Users" for the password type, the enable password boxes are disabled. Unable to enter anything into them at all.

The only way I can enter a password into those fields is to the the password type to "Internal Users".

The source of my consternation is the enable password fields are disabled with all external choices for password type in 5.5.

Jatin Katyal · ‎04-28-2014

that is correct... enable password fields are disabled with all external choices for password type in ACS 5.x

Regards,

Jatin Katyal

*Do rate helpful posts*

~Jatin

WILLIAM BAUER · ‎04-28-2014

But above you said to enter the enable password, even if we select AD for the password. The two statements don't resolve.

Are you saying to create the user as Internal Only, enter an enable password, then save it.

Then in a second step change the user auth to an external mechanism and the enable password will remain active, even though disabled?

If so, that's stated no where in the solutions provided.

ACS5.5 TACACS enable question