03-09-2013 01:24 PM - edited 03-10-2019 08:10 PM
Hi all,
i am using cisco ACS5.3 to gurant aaa services in my network witch comprise alcatel routers 7750 SR and SAM.
Actually, the 7750SR is integrated the the ACS and the authentcation order is tacacs local, witch means that if the user is not in acs move to the local database-->this implicat a security threat in my network.
i 'd like the change this behavorlike this: if the user is not in acs database and acs is rechable--> deny access.
we know how to do that in he router.But we have 2 user defined in the local databse of the 7750 SR (1 used for ftp access, and the 1 other used for snmpv3 user to communicate with sam server). we would so configure these two users in ACS servers.
can u help me please solve this problem.
thanks in advance.
BRs,
03-10-2013 03:52 AM
Paul:
Not sure if I understood you exactly.
On your Alcatel router you can configure it to only use TACACS+ (not local). Is that right?
Now, you need to configure usrers on the ACS side, correct?
Because it is only to configure a normal users in the database in ACS, ( I don't think you don't know how to do that) then I am not able to find where your poblem is?
can you please elaborate more?
Thanks.
Amjad
Rating useful replies is more useful than saying "Thank you"
03-10-2013 11:18 AM
Hi Amjad,
Thanks first for u reponse.
The problem is when i configure for exemple the user used for ftp in acs, the user is correctly authenticated to the router(information taken from acs logs) but i can access the ftp folder of the router ( cf3\:)
did u have any idea ?
Many thanks.
Regards,
03-11-2013 12:05 AM
Hi Paul,
You said the users CAN acess the ftp folder in the router. I think you mean the user CAN NOT access the ftp folder. is that correct?
Rating useful replies is more useful than saying "Thank you"
03-11-2013 01:48 AM
Sure Amjad,
when i try to login to the ftp server of the alcatel 7750 SR with the user i have defined in the acs using filezilla client for example i get login failed response .
BRs,
03-11-2013 02:08 AM
Ok. Now I got you.
So, what the logs on the ACS server say about this failed attempt? what is the failure reason? That should point is where the problem could be.
Rating useful replies is more useful than saying "Thank you"
03-11-2013 03:42 AM
Hi Amjed,
in ACS log, i see a successful authentication.
BRs,
03-11-2013 04:00 AM
what can you see in authorization logs if you are using Tacacs+?
Most of the time failure to login to AAA clients result from authoirzation failure
due to the lack of adding attributes needed to force differentiated level of access
that can be understood by that particular AAA client.
I would recommend you to check the documentation for your third party AAA client
and verify what attributes neede to auhorize users trying to acces it as well as make sure
that they have been added correctly on ACS.
-------------------------------------------------------------------------------------------------------
Please make sure to rate correct answers
03-11-2013 09:01 AM
Hi Amjad, maldehne,
i have checked with alcatel support and the solution is adding the following configuration:
configure system security
user-template "tacplus_default"
access console ftp
So users wauthenticated via tacacs will have access to console and ftp.
Many thanks.
BRs,
03-17-2013 04:41 AM
Glad to hear your problem is resolved Paul.
Rating useful replies is more useful than saying "Thank you"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide