This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Hi all,
i am using cisco ACS5.3 to gurant aaa services in my network witch comprise alcatel routers 7750 SR and SAM.
Actually, the 7750SR is integrated the the ACS and the authentcation order is tacacs local, witch means that if the user is not in acs move to the local database-->this implicat a security threat in my network.
i 'd like the change this behavorlike this: if the user is not in acs database and acs is rechable--> deny access.
we know how to do that in he router.But we have 2 user defined in the local databse of the 7750 SR (1 used for ftp access, and the 1 other used for snmpv3 user to communicate with sam server). we would so configure these two users in ACS servers.
can u help me please solve this problem.
thanks in advance.
BRs,
Paul:
Not sure if I understood you exactly.
On your Alcatel router you can configure it to only use TACACS+ (not local). Is that right?
Now, you need to configure usrers on the ACS side, correct?
Because it is only to configure a normal users in the database in ACS, ( I don't think you don't know how to do that) then I am not able to find where your poblem is?
can you please elaborate more?
Thanks.
Amjad
Rating useful replies is more useful than saying "Thank you"
Hi Amjad,
Thanks first for u reponse.
The problem is when i configure for exemple the user used for ftp in acs, the user is correctly authenticated to the router(information taken from acs logs) but i can access the ftp folder of the router ( cf3\:)
did u have any idea ?
Many thanks.
Regards,
Hi Paul,
You said the users CAN acess the ftp folder in the router. I think you mean the user CAN NOT access the ftp folder. is that correct?
Rating useful replies is more useful than saying "Thank you"
Sure Amjad,
when i try to login to the ftp server of the alcatel 7750 SR with the user i have defined in the acs using filezilla client for example i get login failed response .
BRs,
Ok. Now I got you.
So, what the logs on the ACS server say about this failed attempt? what is the failure reason? That should point is where the problem could be.
Rating useful replies is more useful than saying "Thank you"
Hi Amjed,
in ACS log, i see a successful authentication.
BRs,
what can you see in authorization logs if you are using Tacacs+?
Most of the time failure to login to AAA clients result from authoirzation failure
due to the lack of adding attributes needed to force differentiated level of access
that can be understood by that particular AAA client.
I would recommend you to check the documentation for your third party AAA client
and verify what attributes neede to auhorize users trying to acces it as well as make sure
that they have been added correctly on ACS.
-------------------------------------------------------------------------------------------------------
Please make sure to rate correct answers
Hi Amjad, maldehne,
i have checked with alcatel support and the solution is adding the following configuration:
configure system security
user-template "tacplus_default"
access console ftp
So users wauthenticated via tacacs will have access to console and ftp.
Many thanks.
BRs,
Glad to hear your problem is resolved Paul.
Rating useful replies is more useful than saying "Thank you"