Solved: Cisco ACS 5.4 setup

JESSICA Walsh · ‎10-08-2013

I am setting up Cisco ACS 5.4 for my org. The way I have it set up, ACS passes the authentication off to a RADIUS server. The problem is that it does this for both the user and the enable password on each account. Is there a way to configure ACS to look locally in its internal identity stores for the enable password but to keep passing on the user portion to RADIUS?

Jatin Katyal · ‎10-11-2013

Hi Jessica,

I went through your query and it seems you would like login authentication to be checked against some other external radius server (proxy radius server) and enabled to be checked against the locally configured enable password on the ACS.

I don't think if this cannot be done with radius protocol however with tacacs we can use service attribute and can define in the identity > rule based selection that if service matches login point it to AD database or if matches enable point it to internal database. I've attached a screen shot of the same for your reference. The identity source could be anything from the configured databases.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

aqjaved · ‎10-11-2013

ACS maintains different internal identity stores to maintain user and host records. For each identity store, you can define identity attributes associated with that particular store for which values are defined while creating the user or host records. You can define these identity attributes as part of identity dictionaries under the System Administration section of the ACS application (System Administration > Configuration > Dictionaries > Identity).

Each internal user record includes a password, and you can define a second password as a TACACS+ enable password. You can configure the password stored within the internal user identity store to expire after a particular time period and thus force users to change their own passwords periodically. Users can change their passwords over the RADIUS or TACACS+ protocols or use the UCP web service. Passwords must conform to the password complexity criteria that you define in ACS.

Please check below which may be helpful for you.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1123501

Jatin Katyal · ‎10-11-2013

Hi Jessica,

I went through your query and it seems you would like login authentication to be checked against some other external radius server (proxy radius server) and enabled to be checked against the locally configured enable password on the ACS.

I don't think if this cannot be done with radius protocol however with tacacs we can use service attribute and can define in the identity > rule based selection that if service matches login point it to AD database or if matches enable point it to internal database. I've attached a screen shot of the same for your reference. The identity source could be anything from the configured databases.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

JESSICA Walsh · ‎10-14-2013

Excellent! I tried this and it worked. It was exactly what I was trying to figure out. Thanks!

Jatin Katyal · ‎10-14-2013

glad we could answer. I'd appreciate if you mark this thread resolved.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin