Solved: tacacs not passing authentication to windows database in AD.

mike.hemingway · ‎08-21-2011

I'm looking to setup tacacs in our environment using windows database authentication. However, i do not understand what else I need to do on the tacacs server to pass authentication to windows database on our domain. I've already created the special user account in AD for tacacs and chose to the widows database authentication option on tacacs server. Local tacacs authentication works fine but would like to use windows database

and is not working. Can someone help me?

Fabio Francisco · ‎08-21-2011

Hey Michael,

basically we need more info like what version of ACS you are running and version AD 2003, 2008 etc... bare in mind that AVS version 4.0 - 4.2 does not work with AD 2008 R2.

Basically we need few more steps:

1.) set up a computer account and name it cisco

2.) set up local policies in your windows

3.) are you installing ACS on your DC or on a member server??

4.) make sure that ACS services are running with the account that you have created in AD, make sure to give the account the appropriate rights...

Basically all the stuff listed above can be found in more detail here:

http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/installation/guide/windows/postin.html#wpxref2582

In ACS go to:

External database User > Database Group Mapping > Windows Database

and see if you can find you Domain in there if so it will be just a matter of mapping Security groups of AD with ACS groups...

also make sure that you see aaa correctly like this:

!

aaa new-model

!

aaa authentication login default group tacacs+ local

aaa authorization config-commands

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

tacacs-server host TACACS IP key YOUR PASSWORD

tacacs-server timeout 3

tacacs-server directed-request

Cheers,

Fabio

View solution in original post

Fabio Francisco · ‎08-24-2011

Hey Michael,

for the number 4 make sure that you set the permissions right. In my previous post I sent you a link to some instruction. I followed those instructions to get it working.

That document also mentioned:

- DNS, make sure that it operates correctly

- NETBIOS, i did not enable this on mine but perhaps you could try...

- The member server that you are installing ACS is joined to the domain right?

- perhaps patch your ACS, I'm running Release 4.2(1) Build 15 Patch 4, I actually run it on virtual infrastructure and if you are too I would recommend you to take a snapshot before patching it.

Hopefully you get that sorted soon mate...

Cheers,

Fabio

View solution in original post

Fabio Francisco · ‎08-25-2011

Hey Michael,

Glad to hear that it 's all working....

1.) yes have a look at my aaa configin particular to this line: "aaa authorization exec default group tacacs+ if-authenticated" that will do exactly what you want...

2.) yes set up to security groups in AD name them eq ACS adm ACS restricted > map those groups with groups in ACS and rename the groups in ACS accordingly > edit the groups allowing ACS admin privilege 15 and the ACS restricted a lower privelege that suits you and your conpany...

Please don't forget to rate helpfull answers

Cheers,

Fabio

View solution in original post

Fabio Francisco · ‎08-29-2011

Hey Michael,

This will give you the accounting

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

and to check it on ACS go to Reports > Administration

Thanks for the rating

Cheers,

Fabio

View solution in original post

Fabio Francisco · ‎08-21-2011

Hey Michael,

basically we need more info like what version of ACS you are running and version AD 2003, 2008 etc... bare in mind that AVS version 4.0 - 4.2 does not work with AD 2008 R2.

Basically we need few more steps:

1.) set up a computer account and name it cisco

2.) set up local policies in your windows

3.) are you installing ACS on your DC or on a member server??

4.) make sure that ACS services are running with the account that you have created in AD, make sure to give the account the appropriate rights...

Basically all the stuff listed above can be found in more detail here:

http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/installation/guide/windows/postin.html#wpxref2582

In ACS go to:

External database User > Database Group Mapping > Windows Database

and see if you can find you Domain in there if so it will be just a matter of mapping Security groups of AD with ACS groups...

also make sure that you see aaa correctly like this:

!

aaa new-model

!

aaa authentication login default group tacacs+ local

aaa authorization config-commands

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

tacacs-server host TACACS IP key YOUR PASSWORD

tacacs-server timeout 3

tacacs-server directed-request

Cheers,

Fabio

mike.hemingway · ‎08-24-2011

Fabio,

I'm running ACS v4.2 running on windows 2003 r2. Below are the answers to your questions....

1.) set up a computer account and name it cisco = done

2.) set up local policies in your windows = done

3.) are you installing ACS on your DC or on a member server = member server

4.) make sure that ACS services are running with the account that you have created in AD, make sure to give the account the appropriate rights. = done.

I've made the approcitate changes but still not working. Do i need to do anything in IAS on the DC?

Fabio Francisco · ‎08-24-2011

Hey Michael,

for the number 4 make sure that you set the permissions right. In my previous post I sent you a link to some instruction. I followed those instructions to get it working.

That document also mentioned:

- DNS, make sure that it operates correctly

- NETBIOS, i did not enable this on mine but perhaps you could try...

- The member server that you are installing ACS is joined to the domain right?

- perhaps patch your ACS, I'm running Release 4.2(1) Build 15 Patch 4, I actually run it on virtual infrastructure and if you are too I would recommend you to take a snapshot before patching it.

Hopefully you get that sorted soon mate...

Cheers,

Fabio

mike.hemingway · ‎08-25-2011

Thanks Fabio !!!

Tacacs is now passing windows authentication to AD and i'm able to login using my credentials after installing the patch. Thank you very much!!!

I have two additional questions...

1) Is there a way to allow a windows login to be used as the local enable password after authenticating with AD so that user

does have use the local enable password. I thought i saw this feature on the tacacs server but i'm unable to locate it.

2) I need to setup a user account that will have read-only access (no access to config mode) on a router. I tried using the tacacs+ settings but i'm unable to get it to work. Can you help me?

Your help would be greatly apprecited.

Fabio Francisco · ‎08-25-2011

Hey Michael,

Glad to hear that it 's all working....

1.) yes have a look at my aaa configin particular to this line: "aaa authorization exec default group tacacs+ if-authenticated" that will do exactly what you want...

2.) yes set up to security groups in AD name them eq ACS adm ACS restricted > map those groups with groups in ACS and rename the groups in ACS accordingly > edit the groups allowing ACS admin privilege 15 and the ACS restricted a lower privelege that suits you and your conpany...

Please don't forget to rate helpfull answers

Cheers,

Fabio

mike.hemingway · ‎08-28-2011

Fabio, we're getting closer. I'm able to login seamlessly using acsadmin group and no longer have to type the enable password. However, the acsrestricted group, prompts the user to type the local enable password and still allowing him into config mode. I want users in that group (acsrestricted) to only have view-only (no config mode)? In acs under the acsrestricted group, i choose privilege level 0 and selected >shell command authorization set> per group command authorization>deny config but still not working. Do you have any idea what this is still happening?

Fabio Francisco · ‎08-28-2011

Hey Michael,

Does the users from the restricted group know your enable password? keep it confidential and you will have a secure network in that regards. I don't think there is a need to restrict the user to type enable...

Are you doing accounting as well?I would reccomend setting that up too specially when troubleshooting a problem so you can check the history of commands typed in a particular device....

Hey mate I'd appreciate if you rate my posts.

Cheers,

Fabio

mike.hemingway · ‎08-29-2011

Yes, He does know the enable password. I'll change it and keep it confidential.

I'd like to setup accounting but i'm not sure how to configure. Are there any special commands i need? Where do I view the changes once i setup accounting? Any recommendations to get me started?

My apoligies for not rating your posts earlier. I'm new to the cisco support community and have been fumbling around the site learning how it works. Last couple of times the average ratings have been greyed out and unable to do so. You have been extremly helpful and appreciate all your help.

Fabio Francisco · ‎08-29-2011

Hey Michael,

This will give you the accounting

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

and to check it on ACS go to Reports > Administration

Thanks for the rating

Cheers,

Fabio

mike.hemingway · ‎08-30-2011

Thanks Fabio!!! ,

You were very very helpful. You deserve a raise!

cheers

Fabio Francisco · ‎08-30-2011

No worries mate, glad that I could help.

Cheers,

Fabio