cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4757
Views
20
Helpful
7
Replies

NCS TACACS+ with ACS 4.2

Hi there

I tried to configure TACACS+ authentication / authorization for NCS via ACS 4.2. For that I followed the configuration guide:

1. Configured the service for NCS with HTTP (see attachment)

2. Added the tasks to the user (see attachment)

When I try to login on the NCS it fails, in the logs on the NCS I see the following lines:

09/14/11 16:53:03.333 TRACE [system] [http-443-7] [TACACS+ AAAModule] Creating authorization socket   - To Server:  192.168.49.14  - For User:  netadmin

09/14/11 16:53:03.335 TRACE [system] [http-443-7] [TACACS+ AAAModule] Sending authorization request packet  - To Server:  192.168.49.14  - For User:  netadmin

09/14/11 16:53:03.336 TRACE [system] [http-443-7] [TACACS+ AAAModule] Receiving authorization response packet  - From Server:  192.168.49.14  - For User:  netadmin

09/14/11 16:53:03.343 TRACE [system] [http-443-7] [TACACS+ AAAModule] Retrieving authorization info from packet  - From Server:  192.168.49.14  - For User:  netadmin

09/14/11 16:53:03.343 TRACE [system] [http-443-7] [TACACS+ AAAModule] Processing Cisco vendor custom attributes: 

(...)

09/14/11 16:53:03.406 TRACE [system] [http-443-7] [TACACS+ AAAModule] adding role: role0 = Admin

09/14/11 16:53:03.407 TRACE [system] [http-443-7] [TACACS+ AAAModule] Disconnecting from authorization socket  - From Server:  192.168.49.14  - For User:  netadmin

09/14/11 16:53:03.431 TRACE [admin] [http-443-7] entry with (NCS)

09/14/11 16:53:03.432 TRACE [admin] [http-443-7] exit with (false)

09/14/11 16:53:03.432 TRACE [admin] [http-443-7] entry with (Demo)

09/14/11 16:53:03.432 TRACE [admin] [http-443-7] exit with (true)

09/14/11 16:53:03.715 TRACE [admin] [http-443-7] entry with (NCS)

09/14/11 16:53:03.715 TRACE [admin] [http-443-7] exit with (false)

09/14/11 16:53:03.715 TRACE [admin] [http-443-7] entry with (Demo)

09/14/11 16:53:03.716 TRACE [admin] [http-443-7] exit with (true)

09/14/11 16:53:03.722 TRACE [admin] [http-443-7] entry with (NCS)

09/14/11 16:53:03.722 TRACE [admin] [http-443-7] exit with (false)

09/14/11 16:53:03.723 TRACE [admin] [http-443-7] entry with (Demo)

09/14/11 16:53:03.723 TRACE [admin] [http-443-7] exit with (true)

631531: loopback: Sep 14 2011 16:53:03.088 +0200: %XMP-7-DEBUG: %[ch=com.cisco.xmp.usermgmt][mid=10015]: [The query is :select p from XmpUser p where p.username='netadmin' and policyPartition = 'root']

631532: loopback: Sep 14 2011 16:53:03.088 +0200: %XMP-7-DEBUG: %[ch=com.cisco.xmp.usermgmt][mid=10015]: [getDmm invoked]

631533: loopback: Sep 14 2011 16:53:03.088 +0200: %XMP-7-METHOD_ENTRY_MESSAGE: %[ch=com.cisco.xmp.usermgmt][mid=10011]: Thread Id : [204], Entering Method : [executeDmmQuery], Class : [XmpUserMgmtDmmHelper].

631534: loopback: Sep 14 2011 16:53:03.088 +0200: %XMP-7-METHOD_EXIT_MESSAGE: %[ch=com.cisco.xmp.usermgmt][mid=10012]: Thread Id : [204], Exiting Method : [executeDmmQuery], Class : [XmpUserMgmtDmmHelper].

631535: loopback: Sep 14 2011 16:53:03.088 +0200: %XMP-7-USER0206: %[ch=com.cisco.xmp.usermgmt][mid=206]: Cannot find user: [netadmin]

631536: loopback: Sep 14 2011 16:53:03.089 +0200: %XMP-7-DEBUG: %[ch=com.cisco.xmp.usermgmt][mid=10015]: [userNotFound=true]

631537: loopback: Sep 14 2011 16:53:03.089 +0200: %XMP-7-DEBUG: %[ch=com.cisco.xmp.usermgmt][mid=10015]: [No Fallback Related Exception. Hence falling back to next provider]

Does anybody know what is wrong with my configuration?

Thanks a lot in advance and best regards

Dominic

7 Replies 7

I found the solution, I forgot this line:

--> virtual-domain0=ROOT-DOMAIN

role0=Admin

task0=View Alerts and Events

task1=Device Reports

task2=RADIUS Servers

...

Regards

Dominic

Hi Dominic,

I'm having the same issue, I'm trying to configure ACS with NCS but no luck. What configuration guide are you using?

any help will be greatly appreciated.-

Hi Esomarriba

here you can see my working configuration:

1. You need to configure the new NCS service under the Interface Configuration > TACACS+ (as for WCS too):

2. You need to configure the NCS attributes under the Group or User Configuration:

The important line is the first one "virtual-domain0=ROOT-DOMAIN", I did forgot this first but now it is working.

Hope this helps you to solve your problem, otherwise just ask. Do not forget to rate the answers ;-)

Best regards

Dominic

Thanks, I was having the same issue and was having a hard time finding the solution!  This fixed it!

This steps also works on Cisco Prime Infrastructure, or necessarily need a cisco acs 5.x???


with ACS 4 it should work as well 

HI guys,

i am trying to following the solution, but i was rejected by AD, i am getting

ACS error : External DB user invalid or bad password in acs 4.2.

in my ncs prime: i m getting the following error.

257777: loopback: Feb 06 2013 13:02:43.279 +0800: %XMP-7-DEBUG: %[ch=com.cisco.xmp.usermgmt][mid=10015]: [The

query is :select p from XmpUser p where p.username='s102069' and policyPartition = 'root']

257781: loopback: Feb 06 2013 13:02:43.280 +0800: %XMP-7-USER0206: %[ch=com.cisco.xmp.usermgmt][mid=206]: Can

not find user: [s102069]

257793: loopback: Feb 06 2013 13:02:43.332 +0800: %XMP-7-DEBUG: %[ch=com.cisco.xmp.usermgmt][mid=10015]: [  

             [TacacsLoginModule] Attemp to authenticate user: s102069]

257796: loopback: Feb 06 2013 13:02:43.333 +0800: %XMP-7-DEBUG: %[ch=com.cisco.xmp.usermgmt][mid=10015]: [  

             [TacacsLoginModule] user entered username: s102069]

258117: loopback: Feb 06 2013 13:02:43.458 +0800: %XMP-7-USER0206: %[ch=com.cisco.xmp.usermgmt][mid=206]: Can

not find user: [s102069]

the user id and password was able to login to WCS