NCS TACACS+ with ACS 4.2

Dominic Stalder (old profile) · ‎09-14-2011

Hi there

I tried to configure TACACS+ authentication / authorization for NCS via ACS 4.2. For that I followed the configuration guide:

1. Configured the service for NCS with HTTP (see attachment)

2. Added the tasks to the user (see attachment)

When I try to login on the NCS it fails, in the logs on the NCS I see the following lines:

09/14/11 16:53:03.333 TRACE [system] [http-443-7] [TACACS+ AAAModule] Creating authorization socket - To Server: 192.168.49.14 - For User: netadmin

09/14/11 16:53:03.335 TRACE [system] [http-443-7] [TACACS+ AAAModule] Sending authorization request packet - To Server: 192.168.49.14 - For User: netadmin

09/14/11 16:53:03.336 TRACE [system] [http-443-7] [TACACS+ AAAModule] Receiving authorization response packet - From Server: 192.168.49.14 - For User: netadmin

09/14/11 16:53:03.343 TRACE [system] [http-443-7] [TACACS+ AAAModule] Retrieving authorization info from packet - From Server: 192.168.49.14 - For User: netadmin

09/14/11 16:53:03.343 TRACE [system] [http-443-7] [TACACS+ AAAModule] Processing Cisco vendor custom attributes:

(...)

09/14/11 16:53:03.406 TRACE [system] [http-443-7] [TACACS+ AAAModule] adding role: role0 = Admin

09/14/11 16:53:03.407 TRACE [system] [http-443-7] [TACACS+ AAAModule] Disconnecting from authorization socket - From Server: 192.168.49.14 - For User: netadmin

09/14/11 16:53:03.431 TRACE [admin] [http-443-7] entry with (NCS)

09/14/11 16:53:03.432 TRACE [admin] [http-443-7] exit with (false)

09/14/11 16:53:03.432 TRACE [admin] [http-443-7] entry with (Demo)

09/14/11 16:53:03.432 TRACE [admin] [http-443-7] exit with (true)

09/14/11 16:53:03.715 TRACE [admin] [http-443-7] entry with (NCS)

09/14/11 16:53:03.715 TRACE [admin] [http-443-7] exit with (false)

09/14/11 16:53:03.715 TRACE [admin] [http-443-7] entry with (Demo)

09/14/11 16:53:03.716 TRACE [admin] [http-443-7] exit with (true)

09/14/11 16:53:03.722 TRACE [admin] [http-443-7] entry with (NCS)

09/14/11 16:53:03.722 TRACE [admin] [http-443-7] exit with (false)

09/14/11 16:53:03.723 TRACE [admin] [http-443-7] entry with (Demo)

09/14/11 16:53:03.723 TRACE [admin] [http-443-7] exit with (true)

631531: loopback: Sep 14 2011 16:53:03.088 +0200: %XMP-7-DEBUG: %[ch=com.cisco.xmp.usermgmt][mid=10015]: [The query is :select p from XmpUser p where p.username='netadmin' and policyPartition = 'root']

631532: loopback: Sep 14 2011 16:53:03.088 +0200: %XMP-7-DEBUG: %[ch=com.cisco.xmp.usermgmt][mid=10015]: [getDmm invoked]

631533: loopback: Sep 14 2011 16:53:03.088 +0200: %XMP-7-METHOD_ENTRY_MESSAGE: %[ch=com.cisco.xmp.usermgmt][mid=10011]: Thread Id : [204], Entering Method : [executeDmmQuery], Class : [XmpUserMgmtDmmHelper].

631534: loopback: Sep 14 2011 16:53:03.088 +0200: %XMP-7-METHOD_EXIT_MESSAGE: %[ch=com.cisco.xmp.usermgmt][mid=10012]: Thread Id : [204], Exiting Method : [executeDmmQuery], Class : [XmpUserMgmtDmmHelper].

631535: loopback: Sep 14 2011 16:53:03.088 +0200: %XMP-7-USER0206: %[ch=com.cisco.xmp.usermgmt][mid=206]: Cannot find user: [netadmin]

631536: loopback: Sep 14 2011 16:53:03.089 +0200: %XMP-7-DEBUG: %[ch=com.cisco.xmp.usermgmt][mid=10015]: [userNotFound=true]

631537: loopback: Sep 14 2011 16:53:03.089 +0200: %XMP-7-DEBUG: %[ch=com.cisco.xmp.usermgmt][mid=10015]: [No Fallback Related Exception. Hence falling back to next provider]

Does anybody know what is wrong with my configuration?

Thanks a lot in advance and best regards

Dominic

Dominic Stalder (old profile) · ‎09-17-2011

I found the solution, I forgot this line:

--> virtual-domain0=ROOT-DOMAIN

role0=Admin

task0=View Alerts and Events

task1=Device Reports

task2=RADIUS Servers

...

Regards

Dominic

esomarriba · ‎03-19-2012

Hi Dominic,

I'm having the same issue, I'm trying to configure ACS with NCS but no luck. What configuration guide are you using?

any help will be greatly appreciated.-

Dominic Stalder (old profile) · ‎03-20-2012

Hi Esomarriba

here you can see my working configuration:

1. You need to configure the new NCS service under the Interface Configuration > TACACS+ (as for WCS too):

2. You need to configure the NCS attributes under the Group or User Configuration:

The important line is the first one "virtual-domain0=ROOT-DOMAIN", I did forgot this first but now it is working.

Hope this helps you to solve your problem, otherwise just ask. Do not forget to rate the answers ;-)

Best regards

Dominic

trumpg · ‎06-19-2012

Thanks, I was having the same issue and was having a hard time finding the solution! This fixed it!

Luis Garcia · ‎03-13-2013

This steps also works on Cisco Prime Infrastructure, or necessarily need a cisco acs 5.x???

maldehne · ‎03-15-2013

with ACS 4 it should work as well

Xiao Yi Steven FAN · ‎02-05-2013

HI guys,

i am trying to following the solution, but i was rejected by AD, i am getting

ACS error : External DB user invalid or bad password in acs 4.2.

in my ncs prime: i m getting the following error.

257777: loopback: Feb 06 2013 13:02:43.279 +0800: %XMP-7-DEBUG: %[ch=com.cisco.xmp.usermgmt][mid=10015]: [The

query is :select p from XmpUser p where p.username='s102069' and policyPartition = 'root']

257781: loopback: Feb 06 2013 13:02:43.280 +0800: %XMP-7-USER0206: %[ch=com.cisco.xmp.usermgmt][mid=206]: Can

not find user: [s102069]

257793: loopback: Feb 06 2013 13:02:43.332 +0800: %XMP-7-DEBUG: %[ch=com.cisco.xmp.usermgmt][mid=10015]: [

[TacacsLoginModule] Attemp to authenticate user: s102069]

257796: loopback: Feb 06 2013 13:02:43.333 +0800: %XMP-7-DEBUG: %[ch=com.cisco.xmp.usermgmt][mid=10015]: [

[TacacsLoginModule] user entered username: s102069]

258117: loopback: Feb 06 2013 13:02:43.458 +0800: %XMP-7-USER0206: %[ch=com.cisco.xmp.usermgmt][mid=206]: Can

not find user: [s102069]

the user id and password was able to login to WCS