cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1249
Views
0
Helpful
2
Replies

CSM 4.1\ACS5.1 non-ACS AAA failure

cabejames
Level 1
Level 1

Greetings,

I know that CW Common Services 3.3 does not work with pre-defined roles on ACS AAA. So I followed these forums and enabled non-ACS AAA and selected TACACS+. I have a single rule that is matching in my ACS (after looking at the audit trail):

Authentication Details

Status:

Passed

Failure Reason:

Logged At:

Jan 10, 2012 11:56 PM

ACS Time:

Jan 10, 2012 11:56 PM

ACS Instance:

Hou-ACS

Authentication Method:

PAP_ASCII

Authentication Type:

ASCII

Privilege Level:

1

User

Username:

xxxxx.xxxxx

Remote Address:

10.250.xxx.xxx

Network Device

Network Device:

fw1.outside.hq.hou.tx.us

Network Device IP Address:

10.250.xxx.xxx

Network Device Groups:

Device Type:All Device Types, Location:All Locations

Access Policy

Access Service:

ad.security.sgITnetworkM

Identity Store:

AD1

Selected Shell Profile:

Priv15

Active Directory Domain:

corp.org

Identity Group:

All Groups

Access Service Selection Matched Rule :

networkEngineer

Identity Policy Matched Rule:

Default

Selected Identity Stores:

AD1

Query Identity Stores:

Selected Query Identity Stores:

Group Mapping Policy Matched Rule:

Default

Authorization Policy Matched Rule:

Rule-1

Authorization Exception Policy Matched Rule:

As you may have noticed even though it is matching an access service that allows Priv15. That doesn't seem to be passing through as you can see on top I am only receiving Priv 1. What can I do to properly pass through the access service profile?

2 Replies 2

kdotzoltan_2004
Level 1
Level 1

Hi James,

any luck sorting this out? Where did you find the initial guidance to set this up?

I'm trying to manage a similar setup, and i assume some Custom Attributes might do the trick but I'm unable to find anything online.

To anyone who may be searching for this:

CSM can do authentication from a non-Cisco TACACS server and you can register ACS 5.x as such. However, authorization in these cases will have to come from the CSM's internal database.

In short: you can use the ACS for authentication (so the users wouldn't need to remember yet another password) then replicate those users, who you want to access CSM within CSM (it's not important what password you set for them) and set up the access rights you wish to give them from within CSM.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: