Solved: Good morning Gagan,

imuonagor · ‎02-17-2017

We had enabled the Default Network Device on our ACS 5.3 during the setup stage.

Now I wish to implement a policy for specific network devices so I have now added the devices uniquely using their IP Addresses and names.

However the policy is not working and I notice under monitoring that the devices are shown on ACS as Default Network Device instead of shown with individual IP addresses or names.

I'll appreciate if anyone can help with some explanation of how I can resolve this. I have restarted the ACS to no avail.

Thank you!

Gagandeep Singh · ‎02-25-2017

Can you please send the complete report by click on Magnifying glass.

It's ACS 5.3, not sure if we have option of taking it in pdf format.

View solution in original post

Gagandeep Singh · ‎02-18-2017

If you have Network devices configured in ACS. I would suggest to disable "Default Network Device".

Network Resources > Default Network Device

Then check the results and if it fails. Send me the report of authentication.

Also would recommend to upgrade ACS to some latest code.

Regards

Gagan

PS : rate if it helps!!!!

imuonagor · ‎02-20-2017

Thanks for your reply Gagan,

I had disabled Default Network Device but the authentication didn't work till I re-enabled the Default Network Device.

I also tried to change the IP Address I used to add the device to the ACS. I used other interfaces' IP Addresses (just in case the ACS is seeing a different IP Address from the device in the TACACS+ messages). I also tried a loopback IP Address on the device but none worked.

Please see attached authentication report.

Note: I'm using GUI so I just did a screen capture of the successful and unsuccessful ones. The screen is also too wide for capture so I captured as left and right sides). Let me know if this suffices or if you want me to collect from CLI (Do let me know the actual log file to send if so).

Thanks again!

Gagandeep Singh · ‎02-20-2017

With failed report, it says shell profile is deny access.

Please check and send the Authz policy screenshot. Looks to me, the rule doesn't seem to be correctly matching.

Regards

Gagan

imuonagor · ‎02-24-2017

Yes the rule is not matching because the device is still showing on the ACS as a "Default Network Device".

The rule is set to match if a device is in a particular location.

I have added this device to the ACS with its IP Address and specified its location (same as in the rule) but the device still registers to the ACS under "Default Network Device"

Please see attached.

Gagandeep Singh · ‎02-25-2017

Can you please send the complete report by click on Magnifying glass.

It's ACS 5.3, not sure if we have option of taking it in pdf format.

imuonagor · ‎02-27-2017

Good morning Gagan,

I clicked on the magnifying glass and saw in the detailed log that the IP Address the ACS was seeing was different from the one I had specified for the device.

I changed it and it worked.

Thanks a million for your help and guidance.

Gagandeep Singh · ‎02-27-2017

Your welcome :)

Thanks for choosing Cisco!!!

dgrinceac · ‎02-02-2018

To avoid such issues use "ip tacacs source-interface ifname" command in the global config or in the aaa server group. This will tell to device what interface (and ip address) to use as a source of tacacs traffic communication.

ACS 5.3 Network Devices still show as Default Network Device