Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
835
Views
3
Helpful
6
Replies

Cisco Secure ACS integration issue on Cisco router

Mikee Hendricks
Level 1
Level 1

‎06-15-2023 06:00 PM

Good Day,

Please help me with my Cisco ACS integration issue. I already configured ACS, but when im trying to configure AAA on cisco router and try to login to the router remotely using telnet, i can't login with the credentials that i created on ACS, but the credentials that i created on the router works. Please take a look at the router's config file for reference. I hope someone can resolve my issue.

 

Current configuration : 5496 bytes
!
! Last configuration change at 00:37:43 UTC Fri Jun 16 2023 by admin
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname CS01
!
boot-start-marker
boot-end-marker
!
!
enable password 7 13061E0108034A7B7977
!
username admin password 7 121A0C04110442557878
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ local
!
!
aaa session-id common
!
!
ip dhcp excluded-address 192.168.10.1 192.168.10.20
ip dhcp excluded-address 192.168.11.1 192.168.11.20
ip dhcp excluded-address 192.168.11.21
ip dhcp excluded-address 192.168.10.20 192.168.10.254
ip dhcp excluded-address 192.168.11.20 192.168.11.254
ip dhcp excluded-address 192.168.50.1 192.168.50.20
!
ip dhcp pool VLAN10
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 1.1.1.1 1.0.0.1
lease 0 8
!
ip dhcp pool VLAN11
network 192.168.11.0 255.255.255.0
default-router 192.168.11.1
dns-server 1.1.1.1 1.0.0.1
lease 0 8
!
ip dhcp pool VLAN50
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 1.1.1.1 1.0.0.1
lease 0 8
!
no ip domain-lookup
ip cef
no ipv6 cef
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
interface GigabitEthernet0/0
no switchport
ip address 10.0.28.2 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/1
switchport trunk allowed vlan 10,11
switchport trunk encapsulation dot1q
switchport mode trunk
negotiation auto
!
interface GigabitEthernet0/2
switchport trunk allowed vlan 10,11
switchport trunk encapsulation dot1q
switchport mode trunk
negotiation auto
!
interface GigabitEthernet0/3
negotiation auto
!
interface GigabitEthernet1/0
negotiation auto
!
interface GigabitEthernet1/1
negotiation auto
!
interface GigabitEthernet1/2
switchport access vlan 666
switchport mode access
negotiation auto
spanning-tree portfast edge
!
interface GigabitEthernet1/3
negotiation auto
!
interface GigabitEthernet2/0
negotiation auto
!
interface GigabitEthernet2/1
negotiation auto
!
interface GigabitEthernet2/2
shutdown
negotiation auto
!
interface GigabitEthernet2/3
switchport access vlan 50
switchport mode access
shutdown
negotiation auto
spanning-tree portfast edge
!
interface GigabitEthernet3/0
switchport access vlan 50
switchport mode access
negotiation auto
spanning-tree portfast edge
!
interface GigabitEthernet3/1
switchport access vlan 50
switchport mode access
negotiation auto
spanning-tree portfast edge
!
interface GigabitEthernet3/2
switchport access vlan 50
switchport mode access
negotiation auto
spanning-tree portfast edge
!
interface GigabitEthernet3/3
switchport access vlan 50
switchport mode access
negotiation auto
spanning-tree portfast edge
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip helper-address 192.168.50.2
ip helper-address 192.168.50.3
!
interface Vlan11
ip address 192.168.11.1 255.255.255.0
ip helper-address 192.168.50.2
ip helper-address 192.168.50.3
!
interface Vlan50
ip address 192.168.50.1 255.255.255.0
!
interface Vlan666
ip address 10.1.50.6 255.255.255.0
!
ip default-gateway 10.0.28.1
ip forward-protocol nd
!
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.0.28.1
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr

!
tacacs server CS01
tacacs server TAC
address ipv4 192.168.10.20
key 7 0307521805006F1D1C5A
!
control-plane
!
line con 0
line aux 0
line vty 5 15
!
!
end

Thank you.

Labels:
0 Helpful
6 Replies 6

MHM Cisco World
VIP
VIP

‎06-15-2023 06:26 PM - edited ‎06-15-2023 06:28 PM

tacacs server CS01<<- REMOVE THIS

AND CHECK AGAIN

Also please specify the source of aaa, 

İp tacacs source ip <mgmt vlan svi ip>

Flavio Miranda
VIP
VIP

‎06-15-2023 06:31 PM

Hi

Try this:

 

 aaa authentication login default group CS01  local
aaa authentication enable default group CS01 enable
aaa authorization console
aaa authorization exec default group CS01 local

 
tacacs server TAC
address ipv4 192.168.10.20
key 7 0307521805006F1D1C5A

aaa group server tacacs+ CS01  

 server name TAC

 

line vty 0 4

 transport input all

Mikee Hendricks
Level 1
Level 1
In response to Flavio Miranda

‎06-17-2023 05:41 PM

Hi,

I already add the code that you mentioned, i can get into system but my enable password won't accept. The system prompts "error in authentication" although my enable password is correct. Here is my latest config:

aaa new-model
!
!
aaa group server tacacs+ ACS
server-private 10.0.29.20 key cisco.123
ip tacacs source-interface GigabitEthernet0/1
!
aaa authentication login default group ACS local
aaa authentication enable default group ACS enable
aaa authorization console
aaa authorization exec default group ACS local
!
aaa session-id common
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
ip dhcp pool VLAN 29
network 10.0.29.0 255.255.255.0
default-router 10.0.29.1
dns-server 1.1.1.1 1.0.0.1
lease 0 8
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
username admin secret 8 $8$FKBJ7IAYZw0CTv$3rpxxATLk/TLwynvKBabFPKTdVjhV5L1NVttF5jgPJQ
!
redundancy
!
interface GigabitEthernet0/0
ip address 172.18.200.166 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 10.2.27.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
duplex auto
speed auto
media-type rj45
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 172.18.200.1
ip route 10.0.29.0 255.255.255.0 10.2.27.2
!
ipv6 ioam timestamp
!
!
access-list 1 permit any
!
control-plane
!
line con 0
line aux 0
line vty 0 4
transport input all
line vty 5 15
transport input all
!
no scheduler allocate
!
end

 

Thanks.

0 Helpful

Flavio Miranda
VIP
VIP
In response to Mikee Hendricks

‎06-17-2023 07:19 PM

You are missing the command

aaa authorization commands 15 default group ACS  local
aaa authorization config-commands

MHM Cisco World
VIP
VIP
In response to Mikee Hendricks

‎06-17-2023 11:23 PM

ip tacacs source-interface GigabitEthernet0/1

Giga0/1 is l2 port not l3 you can not use it here 

You need either l3 port or SVI of mgmt vlan 

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎06-23-2023 07:45 PM

@Mikee Hendricks ACS has reached the end of support a while ago, in case you are not aware.

ISE inherited most of ACS features. One of T+ features is to allow different passwords (e.g., using different ID sources) for login and enable. Please confirm that.

If the authentication or authorization request made it to ACS, you should see the event logged there. Please check for the event details and see if that result matches what you are seeing on the router side.

0 Helpful
Customers Also Viewed These Support Documents