05-05-2011 10:19 AM - edited 03-10-2019 06:03 PM
Hi,
I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1). Please help.
tacacs-server key 7 "xxxxxxxxxxxxx"
aaa group server tacacs+ tac_admin
server xx.xx.xx.xx
aaa authentication login default group tac_admin local
aaa authentication login console group tac_admin local
aaa accounting default group tac_admin
05-05-2011 06:33 PM
Hi,
Since the ACS is receiving the request.
Could you please ensure that In ACE on every context (including Admin and other) you have following strings:
tacacs-server host x.x.x.x key 7 "xxx"
aaa group server tacacs+ tac_admin
server x.x.x.x
aaa authentication login default group tac_admin local
aaa authentication login console group tac_admin local
aaa accounting default group x.x.x.x
On ACS side for group named "Network Administrators" you should configure in TACACS settting:
1. Shell (exec) enable
2. Privilege level 15
3. Custom attributes:
shell:Admin*Admin default-domain
if you have additional context add next line
shell:mycontext*Admin default-domain
After loging to ACE and issuing sh users command you should see following
User Context Line Login Time (Location) Role Domain(s)
*adm-x Admin pts/0 Sep 21 12:24 (x.x.x.x) Admin default-domain
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you fee your query is resolved. Do rate helpful posts.
05-06-2011 06:49 AM
Hi Anisha,
Thanks for your reply.
All the settings was done before the testing.
I have two users in the same group "Network Admins" on the ACS4.2. One is called Super and Super is authenticated through ACS internal database. The other one is call DomainAdmin and it's authenticated through Microsoft AD. Since they are in the same group, they have exactly the same priviledge 15.
Both Super and DomainAdmin are working well with all other Cisco routers and switches. Super is also working well with the Cisco 4710 ACE. Only DomainAdmin can not login into the ACE.
Very confused. Hope someone can shed some light on this problem.
Robert
08-13-2013 08:34 AM
Does anyone have an answer to this?
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide