08-11-2010 07:02 AM
I have tried to integrate CS-MARS with Cisco ACS for AAA Authentication as per the document.
http://www.cisco.com/web/services/news/ts_newsletter/tech/chalktalk/archives/200711.html
I had added my two ACS Appliances to the CS-MARS and I when I am doing a "test connectivity" and using ACS usernames I am successuflly able to authenticate (as shown in attached picture).
Once I change to AAA Server mode and logout, I am unable to login using AAA (ACS usernames). Don't know what is the problem.
Can someone help me.
Thanks in advance.
Solved! Go to Solution.
08-11-2010 05:59 PM
Your screenshots show that testing authentication (in general) works. Did you configure local usernames on the CS-MARS box that match the account names in ACS?
> If authentication is set to local, setup user accounts with names and passwords that match the credentials in ACS. For example, setup an account named "test", as it appears that account is in your ACS server.
> If authentication is already set to AAA, setup users that match (no password necessary).
Also, make sure that the account has the proper permissions in ACS for the MARS device. Have you done all of this?
08-11-2010 05:59 PM
Your screenshots show that testing authentication (in general) works. Did you configure local usernames on the CS-MARS box that match the account names in ACS?
> If authentication is set to local, setup user accounts with names and passwords that match the credentials in ACS. For example, setup an account named "test", as it appears that account is in your ACS server.
> If authentication is already set to AAA, setup users that match (no password necessary).
Also, make sure that the account has the proper permissions in ACS for the MARS device. Have you done all of this?
08-12-2010 02:37 AM
Hi Michael,
Thanks, it is working now.
Since I had already set to AAA mode. I had to add only the usernames.
But this kinda beats the purpose of using AAA authentication, since now I have to add all the usernames in CS-MARS also. If I have a new user, I will have to add in the Cisco ACS as well as the CS-MARS.
08-12-2010 06:19 PM
Ok, good to know it's working.
You're absolutely right about the duplicate effort of creating the accounts in MARS. However, it potentially has an upside for some situations (like mine). If an admin has control of the MARS server and accounts, but not the accounts in the ACS server, it's a bonus. No one can get access to the MARS server without acknowledgment from the MARS admin.
Considering the kind of information maintained in MARS, that could be a Good Thing™.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: