cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1187
Views
5
Helpful
3
Replies

MARS AAA Authentication with Cisco ACS not working

jennyjohn
Level 1
Level 1

I have tried to integrate CS-MARS with Cisco ACS for AAA Authentication as per the document.

http://www.cisco.com/web/services/news/ts_newsletter/tech/chalktalk/archives/200711.html

I had added my two ACS Appliances to the CS-MARS and I when I am doing a "test connectivity" and using ACS usernames I am successuflly able to authenticate (as shown in attached picture).

Once I change to AAA Server mode and logout, I am unable to login using AAA (ACS usernames). Don't know what is the problem.

Can someone help me.

Thanks in advance.

1 Accepted Solution

Accepted Solutions

mikecrowe4ICS_2
Level 1
Level 1

Your screenshots show that testing authentication (in general) works.  Did you configure local usernames on the CS-MARS box that match the account names in ACS?

> If authentication is set to local, setup user accounts with names and passwords that match the credentials in ACS.  For example, setup an account named "test", as it appears that account is in your ACS server.

> If authentication is already set to AAA, setup users that match (no password necessary).

Also, make sure that the account has the proper permissions in ACS for the MARS device.  Have you done all of this?

View solution in original post

3 Replies 3

mikecrowe4ICS_2
Level 1
Level 1

Your screenshots show that testing authentication (in general) works.  Did you configure local usernames on the CS-MARS box that match the account names in ACS?

> If authentication is set to local, setup user accounts with names and passwords that match the credentials in ACS.  For example, setup an account named "test", as it appears that account is in your ACS server.

> If authentication is already set to AAA, setup users that match (no password necessary).

Also, make sure that the account has the proper permissions in ACS for the MARS device.  Have you done all of this?

Hi Michael,

      Thanks, it is working now.

Since I had already set to AAA mode. I had to add only the usernames.

But this kinda beats the purpose of using AAA authentication, since now I have to add all the usernames in CS-MARS also. If I have a new user, I will have to add in the Cisco ACS as well as the CS-MARS.

Ok, good to know it's working.

You're absolutely right about the duplicate effort of creating the accounts in MARS.  However, it potentially has an upside for some situations (like mine).  If an admin has control of the MARS server and accounts, but not the accounts in the ACS server, it's a bonus.  No one can get access to the MARS server without acknowledgment from the MARS admin.

Considering the kind of information maintained in MARS, that could be a Good Thing™.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: