09-14-2011 08:04 AM - edited 03-10-2019 06:24 PM
Hi there
I tried to configure TACACS+ authentication / authorization for NCS via ACS 4.2. For that I followed the configuration guide:
1. Configured the service for NCS with HTTP (see attachment)
2. Added the tasks to the user (see attachment)
When I try to login on the NCS it fails, in the logs on the NCS I see the following lines:
09/14/11 16:53:03.333 TRACE [system] [http-443-7] [TACACS+ AAAModule] Creating authorization socket - To Server: 192.168.49.14 - For User: netadmin
09/14/11 16:53:03.335 TRACE [system] [http-443-7] [TACACS+ AAAModule] Sending authorization request packet - To Server: 192.168.49.14 - For User: netadmin
09/14/11 16:53:03.336 TRACE [system] [http-443-7] [TACACS+ AAAModule] Receiving authorization response packet - From Server: 192.168.49.14 - For User: netadmin
09/14/11 16:53:03.343 TRACE [system] [http-443-7] [TACACS+ AAAModule] Retrieving authorization info from packet - From Server: 192.168.49.14 - For User: netadmin
09/14/11 16:53:03.343 TRACE [system] [http-443-7] [TACACS+ AAAModule] Processing Cisco vendor custom attributes:
(...)
09/14/11 16:53:03.406 TRACE [system] [http-443-7] [TACACS+ AAAModule] adding role: role0 = Admin
09/14/11 16:53:03.407 TRACE [system] [http-443-7] [TACACS+ AAAModule] Disconnecting from authorization socket - From Server: 192.168.49.14 - For User: netadmin
09/14/11 16:53:03.431 TRACE [admin] [http-443-7] entry with (NCS)
09/14/11 16:53:03.432 TRACE [admin] [http-443-7] exit with (false)
09/14/11 16:53:03.432 TRACE [admin] [http-443-7] entry with (Demo)
09/14/11 16:53:03.432 TRACE [admin] [http-443-7] exit with (true)
09/14/11 16:53:03.715 TRACE [admin] [http-443-7] entry with (NCS)
09/14/11 16:53:03.715 TRACE [admin] [http-443-7] exit with (false)
09/14/11 16:53:03.715 TRACE [admin] [http-443-7] entry with (Demo)
09/14/11 16:53:03.716 TRACE [admin] [http-443-7] exit with (true)
09/14/11 16:53:03.722 TRACE [admin] [http-443-7] entry with (NCS)
09/14/11 16:53:03.722 TRACE [admin] [http-443-7] exit with (false)
09/14/11 16:53:03.723 TRACE [admin] [http-443-7] entry with (Demo)
09/14/11 16:53:03.723 TRACE [admin] [http-443-7] exit with (true)
631531: loopback: Sep 14 2011 16:53:03.088 +0200: %XMP-7-DEBUG: %[ch=com.cisco.xmp.usermgmt][mid=10015]: [The query is :select p from XmpUser p where p.username='netadmin' and policyPartition = 'root']
631532: loopback: Sep 14 2011 16:53:03.088 +0200: %XMP-7-DEBUG: %[ch=com.cisco.xmp.usermgmt][mid=10015]: [getDmm invoked]
631533: loopback: Sep 14 2011 16:53:03.088 +0200: %XMP-7-METHOD_ENTRY_MESSAGE: %[ch=com.cisco.xmp.usermgmt][mid=10011]: Thread Id : [204], Entering Method : [executeDmmQuery], Class : [XmpUserMgmtDmmHelper].
631534: loopback: Sep 14 2011 16:53:03.088 +0200: %XMP-7-METHOD_EXIT_MESSAGE: %[ch=com.cisco.xmp.usermgmt][mid=10012]: Thread Id : [204], Exiting Method : [executeDmmQuery], Class : [XmpUserMgmtDmmHelper].
631535: loopback: Sep 14 2011 16:53:03.088 +0200: %XMP-7-USER0206: %[ch=com.cisco.xmp.usermgmt][mid=206]: Cannot find user: [netadmin]
631536: loopback: Sep 14 2011 16:53:03.089 +0200: %XMP-7-DEBUG: %[ch=com.cisco.xmp.usermgmt][mid=10015]: [userNotFound=true]
631537: loopback: Sep 14 2011 16:53:03.089 +0200: %XMP-7-DEBUG: %[ch=com.cisco.xmp.usermgmt][mid=10015]: [No Fallback Related Exception. Hence falling back to next provider]
Does anybody know what is wrong with my configuration?
Thanks a lot in advance and best regards
Dominic
09-17-2011 05:17 AM
I found the solution, I forgot this line:
--> virtual-domain0=ROOT-DOMAIN
role0=Admin
task0=View Alerts and Events
task1=Device Reports
task2=RADIUS Servers
...
Regards
Dominic
03-19-2012 05:34 PM
Hi Dominic,
I'm having the same issue, I'm trying to configure ACS with NCS but no luck. What configuration guide are you using?
any help will be greatly appreciated.-
03-20-2012 01:52 AM
Hi Esomarriba
here you can see my working configuration:
1. You need to configure the new NCS service under the Interface Configuration > TACACS+ (as for WCS too):
2. You need to configure the NCS attributes under the Group or User Configuration:
The important line is the first one "virtual-domain0=ROOT-DOMAIN", I did forgot this first but now it is working.
Hope this helps you to solve your problem, otherwise just ask. Do not forget to rate the answers ;-)
Best regards
Dominic
06-19-2012 07:37 AM
Thanks, I was having the same issue and was having a hard time finding the solution! This fixed it!
03-13-2013 02:50 PM
This steps also works on Cisco Prime Infrastructure, or necessarily need a cisco acs 5.x???
03-15-2013 12:08 PM
with ACS 4 it should work as well
02-05-2013 10:58 PM
HI guys,
i am trying to following the solution, but i was rejected by AD, i am getting
in my ncs prime: i m getting the following error.
257777: loopback: Feb 06 2013 13:02:43.279 +0800: %XMP-7-DEBUG: %[ch=com.cisco.xmp.usermgmt][mid=10015]: [The
query is :select p from XmpUser p where p.username='s102069' and policyPartition = 'root']
257781: loopback: Feb 06 2013 13:02:43.280 +0800: %XMP-7-USER0206: %[ch=com.cisco.xmp.usermgmt][mid=206]: Can
not find user: [s102069]
257793: loopback: Feb 06 2013 13:02:43.332 +0800: %XMP-7-DEBUG: %[ch=com.cisco.xmp.usermgmt][mid=10015]: [
[TacacsLoginModule] Attemp to authenticate user: s102069]
257796: loopback: Feb 06 2013 13:02:43.333 +0800: %XMP-7-DEBUG: %[ch=com.cisco.xmp.usermgmt][mid=10015]: [
[TacacsLoginModule] user entered username: s102069]
258117: loopback: Feb 06 2013 13:02:43.458 +0800: %XMP-7-USER0206: %[ch=com.cisco.xmp.usermgmt][mid=206]: Can
not find user: [s102069]
the user id and password was able to login to WCS
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: