cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5625
Views
5
Helpful
23
Replies

Ask the Expert: Installing and Configuring Cisco Access Control System

ciscomoderator
Community Manager
Community Manager

Installing and configuring Cisco Access Control SystemWith Javier Henderson

Welcome to the Cisco Support Community Ask the Expert conversation.  This  is an opportunity to learn and ask questions about how to install and configure the Cisco Secure Access Control System (ACS) with expert Javier Henderson. 

The Cisco Secure ACS is a centralized identity and access policy solution that ties together an enterprise's network access policy and identity strategy. Cisco Secure ACS operates as a RADIUS and TACACS+ server, combining user authentication, user and administrator device access control, and policy control in a centralized identity networking solution. 

Javier Henderson has been a customer support engineer with the Security Team, specializing in AAA technologies, since 2004. In addition to supporting Cisco customers, he has delivered training to other teams on various AAA products. Javier attended Buenos Aires University and holds CCNA and Checkpoint certifications.

Remember to use the rating system to let Javier know if you've received an adequate response. 

Because of the volume expected during this event, Javier might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity, AAA, Identity and NAC, shortly after the event. This event lasts through October 18, 2013. Visit this forum often to view responses to your questions and those of other Cisco Support Community members.

      

23 Replies 23

Eric R. Jones
Level 4
Level 4

Good morning, I'm Eric Jones and I'm a CISCO equipment user.

I have some questions on the 1121 AAA server.

We have 2, one is configured to work with our Active Directory.

It access the AD data and will pull the username from the AD group; however, when you attempt to enter the AD group users password it fails to login into the IOS device chosen.

What it wants is the enable password created for the local admin account on the IOS device.

The Shell profiles and Command Sets have been created.

The binding has been completed.

The IOS device has its configuration completed.

Part II of this issue.

When I first began configuring the device there were now Default Device Admin or Default Network Admin Access Policies configured.

I had to create these myself.

After that surprise everything went smoothly as mentioned above with the Shell Profiles and Command Sets.

Has anyone seen this issue before.

Part III of this issue.

When entering the Monitoring and Reports section and enabling Support Bundle I get an error when trying to start it.

I get a red warning banner at the top stating the server isn't running. Well Clearly it's running but it doesn't think so.

Also when trying to view the reports to see any accounting, authorization, authentication information in the logs there's nothing there.

I have configured the logs to write to a Server but nothing ever gets written.

And since nothing is being done locally on the ACS I can't tell why it's not writting to the server.

Any thoughts?

ej

Eric,

Regarding your questions:

1) Can you post the AAA configuration that you're using on the router? Please redact any passwords and IP addresses.

2) By default, ACS has a RADIUS default access policy called Default Network Access, and a TACACS+ access policy called Default Device Admin. You can create additional policies, as needed.

3) Please log into the CLI and run the following command:

# show application status acs

Then post the results.

Also, what version of ACS are you running? Include patch level, please. You can get this information from the "About..." link on the GUI, or "show version" on the CLI.

aducey01
Level 1
Level 1

I'm implementing a Cisco ACS in a multi tenant private cloud.  Has anyone else done this using multiple LDAP identity stores?  I need to research other work done in this area by universities, government and individuals.  Can you help me with any examples?

Thank you,

-anne

Anne,

ACS supports having multiple LDAP servers as identity stores.

Do you have specific configuration scenarios in mind that you'd care to discuss?

Javier Henderson

Cisco Systems

Eric R. Jones
Level 4
Level 4

I found my answer, the IP address format I was using was incorrect.

I had been using 10.*.*.* or a combination of this when I should have been a bit more detailed.

I have used 10.#-#.*.* or 10.0.#-#.#-# and now that issue has been resolved.

The next issue deals with AD and some users not being able to use their passwords to access the Priv Exec portion.

Should be an easy thing to track down.

ej

TM13
Level 1
Level 1

Hi Javier,

  We configured AAA on the switch on the group, and we added 2 ACS on that group, and on the row we added Enable last.

  So first i can see deny message on our ACS but 2 time i can go switch by my Enable password, but on second ACS on the group at the moment shut down, is that affected or ? that Enable command is allowing us to access switch any idea?

Tulgabat,

Could I see the current switch configuration, please?

In general, authentication methods are tried in the order in which they appear, until a valid response is received.

Note: access-reject is a valid response, so if the user enters an invalid username/password combination and ACS returns access-reject then no subsequent methods will be tried.

For example, consider the following configuration on a router:

aaa authentication login default group tacacs+ local

In the above case, access-reject by ACS will cause the router to reject the login. if ACS returns an error condition, or is unreachable, then the local user account configuration on the router will be used.

Javier Henderson

Cisco Systems      

Javier,

  That error condition making some confusions ... i've tried both Drop,Reject actions on it.

vty lin

line vty 0 4

session-timeout 10

password 7 121A0C041104

authorization commands 1 COMMANDS-1-AUTH

authorization commands 15 COMMANDS-15-AUTH

authorization exec EXEC-AUTH

accounting commands 1 COMMANDS-1-ACCT

accounting commands 15 COMMANDS-15-ACCT

accounting exec EXEC-ACCOUNTING

logging synchronous

login authentication VTY-LOGIN

transport input ssh

transport output telnet ssh

and AAA config

aaa group server tacacs+ TEST

server **.11

server **.12

!

aaa authentication login VTY-LOGIN group TEST enable

aaa authentication login CONSOLE group TEST enable

and i can see deny message in ACS on our primary ACS, and second time it is allowing to access it by Enable password, so i am guessing that is why because our Secondary ACS is shutdown ... so wondering procedure is it should access both ACS in the group?

Tulgabat,

The router should try to contact both ACS serves listed in the TEST server group. If neither respods, or both respond with an error condition, then the router should try the next method on the list, which in your configuration is "enable" (ie, the enable password configured on the router).

Keep in mind that if either of the ACS servers returns a deny then the authentication process will stop at that point and reject the login attempt.

Javier Henderson

Cisco Systems

Thanks Javier,

  Looks like 5.2 version bug ...

John Ventura
Level 1
Level 1

Hi Javier,

For the purpose of ACS database replication - what ports need to be open on any firewalls between primary and secondary nodes?  appreciate your help on this.

thanks,

John

The following table lists what ports are used by ACS, and for what purpose:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/admin_operations.html#wp1093548

Javier Henderson

Cisco Systems

jacksonseow
Level 1
Level 1

Hi Javier,

How are you? I'm Jackson from Westrac Australia, we use AIRONET 1300 series WIFI radios.

Quick question,

Logging in via hyperterminal, we are normally present with "AP>" , we've seen a couple of "Bridge:".

Could you point out to me how to go from Bridge prompt to AP prompt pls, thank you

regards

Jackson,

The Bridge: prompt is from the bootloader, rather than IOS. Please refer to the wireless area of this support forum for further assistance, since this event is centered around ACS.

Regards,

Javier Henderson

Cisco Systems