Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
958
Views
0
Helpful
4
Replies

Cisco ACS 5.4 setup

Go to solution
JESSICA Walsh
Level 1
Level 1

‎10-08-2013 11:29 AM - edited ‎03-10-2019 08:58 PM

  I am setting up Cisco ACS 5.4  for my org. The way I have it set up, ACS passes the authentication off to a RADIUS server. The problem is that it does this for both the user and the enable password on each account. Is there a way to configure ACS to look locally in its internal identity stores for the enable password but to keep passing on the user portion to RADIUS?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎10-11-2013 07:44 AM

Hi Jessica,

I went through your query and it seems you would like login authentication to be checked against some other external radius server (proxy radius server) and enabled to be checked against the locally configured enable password on the ACS.

I don't think if this cannot be done with radius protocol however with tacacs we can use service attribute and can define in the identity > rule based selection that if service matches login point it to AD database or if matches enable point it to internal database. I've attached a screen shot of the same for your reference. The identity source could be anything from the configured databases.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

0 Helpful
4 Replies 4

Go to solution
aqjaved
Level 3
Level 3

‎10-11-2013 02:48 AM

ACS maintains different internal identity stores to maintain  user and host records. For each identity store, you can define identity  attributes associated with that particular store for which values are  defined while creating the user or host records. You can define these  identity attributes as part of identity dictionaries under the System  Administration section of the ACS application (System Administration  > Configuration > Dictionaries > Identity).

Each internal user record includes  a password, and you can define a second password as a TACACS+ enable  password. You can configure the password stored within the internal user  identity store to expire after a particular time period and thus force  users to change their own passwords periodically. Users can change their  passwords over the RADIUS or TACACS+ protocols or use the UCP web  service. Passwords must conform to the password complexity criteria that  you define in ACS.

Please check below  which may be helpful for you.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1123501

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎10-11-2013 07:44 AM

Hi Jessica,

I went through your query and it seems you would like login authentication to be checked against some other external radius server (proxy radius server) and enabled to be checked against the locally configured enable password on the ACS.

I don't think if this cannot be done with radius protocol however with tacacs we can use service attribute and can define in the identity > rule based selection that if service matches login point it to AD database or if matches enable point it to internal database. I've attached a screen shot of the same for your reference. The identity source could be anything from the configured databases.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Go to solution
JESSICA Walsh
Level 1
Level 1
In response to Jatin Katyal

‎10-14-2013 11:07 AM

Excellent! I tried this and it worked. It was exactly what I was trying to figure out. Thanks!

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to JESSICA Walsh

‎10-14-2013 11:36 AM

glad we could answer. I'd appreciate if you mark this thread resolved.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents