08-08-2012 12:38 PM - edited 03-10-2019 07:23 PM
users whose status is manually disabled don not have difficulty in authenticating and access managing nework devices. that makes me wonder what is the difference between status enabled and disabled?
Thanks,
Kerim
Solved! Go to Solution.
08-27-2012 09:33 AM
Kerim,
I just can't get Radius work the way it used to in acs4.2. it is as if RADIUS is dedicated to default network access as opposed to deault network admin.
You are correct, the default network access template is for radius based authentication, you can not assign a shell profile since that is for tacacs.. When you create a new access-service it either uses a tacacs or radius template.
even when i let RADIUS being used to default netowrk access, i was not able to associate profile-shell that allows Priv-level 15.
Make sure that your authorization profile has the right cisco-av-pair assigned (shell:priv-lvl=15).
in acs 4.2 if you are in admin group u just see the switch # prompt but in ACS5.3 if you use RADIUS you will be in switch> prompt.
If you are passing the attribute above make sure that the command "aaa authoration exec default group radius" is configured
how do i go about solving this? the other problem I am facing is, when my two acs instances are standalone, they work fine but as soon as i make one of them secondary, the secondary can't authenticate against RSA server it just authenticates only local users. whay is that so? i believe if we can solve this am ready to go into production with 5.3.
I can not think of why this is the case right off the top of my head. Your best bet for this issue is to open a tac case to have them setup a webex and take a look. I am sure it is something simple, but webex is the fastest method because of all the different pieces that it takes to make this work.
thanks,
Tarik Admani
*Please rate helpful posts*
08-27-2012 04:09 PM
Hi Mohammed,
ACS 5 does not have the feature of IP pools. Logically its always good to setup pools locally on vpn server and if you want user to pick ip from specific local pool you can configure acs to push that attribute.
On ACS Go to > Policy Elements -> Network Access -> Authorization Profiles -> Create ->
Name of the Policy ->Dictionary Type: Radius-Cisco VPN 3000/ASA/PIX7.x
Attribute Type : CVPN3000/ASA/PIX7.x-Group-Based-Address-Pools
Attribute Type: String
Attribute Value : Static MYPOOL (Name of the Pool which is defined on the ASA)
Access Policies ->Default Network Access -> Authorization -> Create -> Under result section call the Authorization profile.
Hope that helps!
Regards,
~JG
DO rate helpful posts
08-29-2012 01:52 PM
Hi Kerim,
Cisco avpair is used for cisco devices only. For other 3rd party devices, separate attribute is required to be pushed by radius server.
You have to add these attributes are defined under ACS 5 GUI >System Administration => Configuration =>Dictionaries =>Protocols => RADIUS => RADIUS VSA
Then in Authorization Profiles under Policy Elements =>Authorizations=>Network access=> Authorization profiles, we need to call it.
Here is the VSA for netscreen.
Name=Netscreen
IETF Code=3224
VSA 1=NS-Admin-Privilege
VSA 2=NS-Admin-Vsys-Name
VSA 3=NS-User-Group
VSA 4=NS-Primary-DNS-Server
VSA 5=NS-Secondary-DNS-Server
VSA 6=NS-Primary-WINS-Server
VSA 7=NS-Secondary-WINS-Server
Regards,
~JG
Do rate helpful posts
08-08-2012 01:08 PM
Kerim,
I wanted to know how you are authenticating the clients. If you look at the report does it point to the internal database?
Thanks,
Tarik Admani
*Please rate helpful posts*
08-08-2012 01:27 PM
Hi Tarik,
I see what you mean. we are using sequential identity datastore. at the top of the sequence is RSA server followed by internal users. so if user is not found in RSA server fails to internal DB. for users on internal DB, the status field matters! for users on RSA server, the status field don't matter.
08-08-2012 01:38 PM
08-08-2012 01:45 PM
That is correct, are you testing with kerimtest? Because that looks like it is passing and failing, but I can see the timestamp.
Tarik Admani
*Please rate helpful posts*
08-08-2012 01:52 PM
yes, that is my internal user test account. things seem to be going fine. am in the process of installing secondary instance. i think am going to need separate license. is that right?
08-08-2012 02:21 PM
Yes you will need a seperate license to join this ACS to the primary ACS.
Tarik Admani
*Please rate helpful posts*
08-13-2012 01:49 PM
hi Tarik,
i installed the secondary ACS server. i truied to register this to the Primary. i gave the IP Address(DNS not yet configured) and acsadmin password. but the registeration timesout saying either wrong IP address or wrong username and password. fyi, we allowed only TCP port 2638. we didn't open other ports like TCP61616, TCP2020 and TCP2030 and UDP20514. kind of stickt environmnet. am using the web login credentials as opposed to the CLI credential. please, let me know what could be causing this failure
08-13-2012 01:53 PM
You need all the ports open for this to work. You also need dns with ptr records for this to work also. Please look make sure these are in place and try again.
Sent from Cisco Technical Support iPad App
08-13-2012 02:25 PM
can you tell me why we need these TCP pors (2020 and 2030). we don't have voice network.
Thanks
08-13-2012 02:30 PM
Kerim,
This is not for voice calls, the calls in this context is referring to the RMI processes:
http://www.javacoffeebreak.com/articles/javarmi/javarmi.html
Thanks,
Tarik Admani
*Please rate helpful posts*
08-13-2012 02:34 PM
thanks tarik!
08-13-2012 02:42 PM
Tarik,
Things changed a bit. previously TCP port 2000 is all you need for database replication. now a bunch of ports. i used to be java programmer. infact certified java programmer. look at me know (asking about RMI). i will request DNS entry and also firewall ports to be opened and will give it a shoot tomorrow.
thanks Tarik.
08-14-2012 07:52 AM
Hi Tarik,
the PTR recods created and the required ports opened (TCP 2638,61616,2020,2030,UDP 20514) unidirectional (from primary to secondary. i used both the CLI and web login credentials (not sure which one i should be using). still no success of registering the secondary to primary. is there some change to made on the primary as a first step? anything i can be missing?
thanks,
kerim
08-14-2012 08:11 AM
Can you please try port 443 also, please make sure that the ports are open in both directions.
Also is there an existing secondary node entry on the primary deployment page? If so, please delete that and try again.
Thanks,
Tarik Admani
*Please rate helpful posts*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide