cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1366
Views
0
Helpful
3
Replies

Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed

robert.huang
Level 1
Level 1

Hi,

I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.

ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.

Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.

I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1). Please help.

tacacs-server key 7 "xxxxxxxxxxxxx"
aaa group server tacacs+ tac_admin
  server xx.xx.xx.xx

aaa authentication login default group tac_admin local
aaa authentication login console group tac_admin local
aaa accounting default group tac_admin

3 Replies 3

andamani
Cisco Employee
Cisco Employee

Hi,

Since the ACS is receiving the request.

Could you please ensure that In ACE on every context (including Admin and other) you have  following strings:

tacacs-server host x.x.x.x key 7 "xxx"
aaa group server tacacs+  tac_admin
   server x.x.x.x

aaa authentication login default group  tac_admin local
aaa authentication login console group  tac_admin local 
aaa accounting default group x.x.x.x

On ACS side for group named "Network  Administrators" you should configure in TACACS settting:

1. Shell  (exec) enable

2. Privilege level 15

3. Custom attributes:

           shell:Admin*Admin default-domain

    if you have additional  context add next line

          shell:mycontext*Admin  default-domain

After  loging to ACE and issuing sh users command you should see following

User             Context                                                                  Line     Login Time   (Location)        Role   Domain(s)   
*adm-x        Admin                                                                    pts/0   Sep 21 12:24  (x.x.x.x)    Admin   default-domain

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you fee your query is resolved. Do rate helpful posts.

Hi Anisha,

Thanks for your reply.

All the settings was done before the testing.

I have two users in the same group "Network Admins" on the ACS4.2. One is called Super and Super is authenticated through ACS internal database. The other one is call DomainAdmin and it's authenticated through Microsoft AD. Since they are in the same group, they have exactly the same priviledge 15.

Both Super and DomainAdmin are working well with all other Cisco routers and switches. Super is also working well with the Cisco 4710 ACE. Only DomainAdmin can not login into the ACE.

Very confused. Hope someone can shed some light on this problem.

Robert

Does anyone have an answer to this?

Thanks.