Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1626
Views
5
Helpful
2
Replies

ACS 5.2 TACACS+ LDAP Issue

mkeider123
Level 1
Level 1

‎12-10-2010 06:59 AM - edited ‎02-21-2020 04:11 AM

Using ACS 5.2 configured for TACACS+ and using LDAP for user authentication - LDAP Bind test is good.

When using LDAP for Idendity: users authenticate but do not authorize and get the default rule.

When using a Local User on the ACS for Idendity: that user authenticates and authorizes - hitting the correct rule.

What is missing?

Thanks.

0 Helpful
2 Replies 2

Federico Ziliotto
Cisco Employee
Cisco Employee

‎12-24-2010 01:44 AM

Hi Mark,

Could you please attach a screenshot of the set of conditions for your authorization rules?

Thank you,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

cpupa1984
Level 1
Level 1
In response to Federico Ziliotto

‎05-16-2011 01:08 AM

Hi Federico.

I use ACS 5.2, and i have same problems with authorization when i use external LDAP-server. And when I'm using LDAP for Idendity: users authenticate but do not authorize and get the default rule. Can you help with this question?

In TACACS-authorithation log:

Status:
   
Failed
Failure Reason:
    13025 Command failed to match a Permit rule
Logged At:
   
May 16, 2011 8:02 AM
ACS Time:
   
May 16, 2011 8:02 AM
ACS Instance:
    ACS-test
Authentication Method:
   
None
Authentication Type:
   

Header Privilege Level:
   
0
Command Set:
   
[ CmdAV=enable 15  ]
User
User Name:
    testuser
Remote Address:
   
#######
Network Device
Network Device Name:
    Cisco-2650-test
Netwok Device Group:
   
Device Type:All Device Types, Location:All Locations
Device IP Address:
   
########
Access Policy
Access Service:
    TACACS
Identity Store:
   

Selected Shell Profile:
   

Matched Command Set:
   

Selected Command Set:
   
DenyAllCommands
Active Directory Domain:
   

Identity Group:
   

Access Service Selection Matched Rule:
   
TACACS
Identity Policy Matched Rule:
   
Default
Selected Identity Stores:
   

Query Identity Stores:
   

Selected Query Identity Store:
   

Group Mapping Policy Matched Rule:
   

Authorization Policy Matched Rule:
   
Default
Authorization Exception Policy Matched Rule:
   

Other
ACS Session ID:
   
ACS-test/93860844/1693
Author Reply Status:
   

Other Attributes:
   
ACSVersion=acs-5.2.0.26-B.3075
ConfigVersionId=263
Device Port=12227
Protocol=Tacacs
Type=Authorization
Service=None
Port=tty66
Service-Argument=shell
AuthenticationIdentityStore=NAC Profiler
AuthenticationMethod=Lookup
SelectedAuthenticationIdentityStores=NAC Profiler
SelectedAuthenticationIdentityStores=Internal Users
IdentityDn=uid=homer,ou=Users,retailername=default,o=UMC

Preview file
198 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card