This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
With Javier Henderson
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to install and configure the Cisco Secure Access Control System (ACS) with expert Javier Henderson.
The Cisco Secure ACS is a centralized identity and access policy solution that ties together an enterprise's network access policy and identity strategy. Cisco Secure ACS operates as a RADIUS and TACACS+ server, combining user authentication, user and administrator device access control, and policy control in a centralized identity networking solution.
Javier Henderson has been a customer support engineer with the Security Team, specializing in AAA technologies, since 2004. In addition to supporting Cisco customers, he has delivered training to other teams on various AAA products. Javier attended Buenos Aires University and holds CCNA and Checkpoint certifications.
Remember to use the rating system to let Javier know if you've received an adequate response.
Because of the volume expected during this event, Javier might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity, AAA, Identity and NAC, shortly after the event. This event lasts through October 18, 2013. Visit this forum often to view responses to your questions and those of other Cisco Support Community members.
Regarding your questions:
1) Can you post the AAA configuration that you're using on the router? Please redact any passwords and IP addresses.
2) By default, ACS has a RADIUS default access policy called Default Network Access, and a TACACS+ access policy called Default Device Admin. You can create additional policies, as needed.
3) Please log into the CLI and run the following command:
# show application status acs
Then post the results.
Also, what version of ACS are you running? Include patch level, please. You can get this information from the "About..." link on the GUI, or "show version" on the CLI.
I'm implementing a Cisco ACS in a multi tenant private cloud. Has anyone else done this using multiple LDAP identity stores? I need to research other work done in this area by universities, government and individuals. Can you help me with any examples?
ACS supports having multiple LDAP servers as identity stores.
Do you have specific configuration scenarios in mind that you'd care to discuss?
I found my answer, the IP address format I was using was incorrect.
I had been using 10.*.*.* or a combination of this when I should have been a bit more detailed.
I have used 10.#-#.*.* or 10.0.#-#.#-# and now that issue has been resolved.
The next issue deals with AD and some users not being able to use their passwords to access the Priv Exec portion.
Should be an easy thing to track down.
We configured AAA on the switch on the group, and we added 2 ACS on that group, and on the row we added Enable last.
So first i can see deny message on our ACS but 2 time i can go switch by my Enable password, but on second ACS on the group at the moment shut down, is that affected or ? that Enable command is allowing us to access switch any idea?
Could I see the current switch configuration, please?
In general, authentication methods are tried in the order in which they appear, until a valid response is received.
Note: access-reject is a valid response, so if the user enters an invalid username/password combination and ACS returns access-reject then no subsequent methods will be tried.
For example, consider the following configuration on a router:
aaa authentication login default group tacacs+ local
In the above case, access-reject by ACS will cause the router to reject the login. if ACS returns an error condition, or is unreachable, then the local user account configuration on the router will be used.
That error condition making some confusions ... i've tried both Drop,Reject actions on it.
line vty 0 4
password 7 121A0C041104
authorization commands 1 COMMANDS-1-AUTH
authorization commands 15 COMMANDS-15-AUTH
authorization exec EXEC-AUTH
accounting commands 1 COMMANDS-1-ACCT
accounting commands 15 COMMANDS-15-ACCT
accounting exec EXEC-ACCOUNTING
login authentication VTY-LOGIN
transport input ssh
transport output telnet ssh
and AAA config
aaa group server tacacs+ TEST
aaa authentication login VTY-LOGIN group TEST enable
aaa authentication login CONSOLE group TEST enable
and i can see deny message in ACS on our primary ACS, and second time it is allowing to access it by Enable password, so i am guessing that is why because our Secondary ACS is shutdown ... so wondering procedure is it should access both ACS in the group?
The router should try to contact both ACS serves listed in the TEST server group. If neither respods, or both respond with an error condition, then the router should try the next method on the list, which in your configuration is "enable" (ie, the enable password configured on the router).
Keep in mind that if either of the ACS servers returns a deny then the authentication process will stop at that point and reject the login attempt.
For the purpose of ACS database replication - what ports need to be open on any firewalls between primary and secondary nodes? appreciate your help on this.
The following table lists what ports are used by ACS, and for what purpose:
How are you? I'm Jackson from Westrac Australia, we use AIRONET 1300 series WIFI radios.
Logging in via hyperterminal, we are normally present with "AP>" , we've seen a couple of "Bridge:".
Could you point out to me how to go from Bridge prompt to AP prompt pls, thank you
The Bridge: prompt is from the bootloader, rather than IOS. Please refer to the wireless area of this support forum for further assistance, since this event is centered around ACS.