alcatel 7750 SR integration with cisco ACS for ftp and snmp acce

paul.rami · ‎03-09-2013

Hi all,

i am using cisco ACS5.3 to gurant aaa services in my network witch comprise alcatel routers 7750 SR and SAM.

Actually, the 7750SR is integrated the the ACS and the authentcation order is tacacs local, witch means that if the user is not in acs move to the local database-->this implicat a security threat in my network.

i 'd like the change this behavorlike this: if the user is not in acs database and acs is rechable--> deny access.

we know how to do that in he router.But we have 2 user defined in the local databse of the 7750 SR (1 used for ftp access, and the 1 other used for snmpv3 user to communicate with sam server). we would so configure these two users in ACS servers.

can u help me please solve this problem.

thanks in advance.

BRs,

Amjad Abdullah · ‎03-10-2013

Paul:
Not sure if I understood you exactly.

On your Alcatel router you can configure it to only use TACACS+ (not local). Is that right?

Now, you need to configure usrers on the ACS side, correct?
Because it is only to configure a normal users in the database in ACS, ( I don't think you don't know how to do that) then I am not able to find where your poblem is?

can you please elaborate more?

Thanks.

Amjad

Rating useful replies is more useful than saying "Thank you"

paul.rami · ‎03-10-2013

Hi Amjad,

Thanks first for u reponse.

The problem is when i configure for exemple the user used for ftp in acs, the user is correctly authenticated to the router(information taken from acs logs) but i can access the ftp folder of the router ( cf3\:)

did u have any idea ?

Many thanks.

Regards,

Amjad Abdullah · ‎03-11-2013

Hi Paul,

You said the users CAN acess the ftp folder in the router. I think you mean the user CAN NOT access the ftp folder. is that correct?

Rating useful replies is more useful than saying "Thank you"

paul.rami · ‎03-11-2013

Sure Amjad,

when i try to login to the ftp server of the alcatel 7750 SR with the user i have defined in the acs using filezilla client for example i get login failed response .

BRs,

Amjad Abdullah · ‎03-11-2013

Ok. Now I got you.

So, what the logs on the ACS server say about this failed attempt? what is the failure reason? That should point is where the problem could be.

Rating useful replies is more useful than saying "Thank you"

paul.rami · ‎03-11-2013

Hi Amjed,

in ACS log, i see a successful authentication.

BRs,

maldehne · ‎03-11-2013

what can you see in authorization logs if you are using Tacacs+?

Most of the time failure to login to AAA clients result from authoirzation failure

due to the lack of adding attributes needed to force differentiated level of access

that can be understood by that particular AAA client.

I would recommend you to check the documentation for your third party AAA client

and verify what attributes neede to auhorize users trying to acces it as well as make sure

that they have been added correctly on ACS.

-------------------------------------------------------------------------------------------------------

Please make sure to rate correct answers

paul.rami · ‎03-11-2013

Hi Amjad, maldehne,

i have checked with alcatel support and the solution is adding the following configuration:

configure system security

    user-template "tacplus_default"

         access console ftp

So users wauthenticated via tacacs will have access to console and ftp.

Many thanks.

BRs,

Amjad Abdullah · ‎03-17-2013

Glad to hear your problem is resolved Paul.

Rating useful replies is more useful than saying "Thank you"

alcatel 7750 SR integration with cisco ACS for ftp and snmp access ?