02-17-2017 03:01 AM - edited 03-11-2019 12:28 AM
We had enabled the Default Network Device on our ACS 5.3 during the setup stage.
Now I wish to implement a policy for specific network devices so I have now added the devices uniquely using their IP Addresses and names.
However the policy is not working and I notice under monitoring that the devices are shown on ACS as Default Network Device instead of shown with individual IP addresses or names.
I'll appreciate if anyone can help with some explanation of how I can resolve this. I have restarted the ACS to no avail.
Thank you!
Solved! Go to Solution.
02-25-2017 11:24 AM
Can you please send the complete report by click on Magnifying glass.
It's ACS 5.3, not sure if we have option of taking it in pdf format.
02-18-2017 01:16 PM
If you have Network devices configured in ACS. I would suggest to disable "Default Network Device".
Network Resources > Default Network Device
Then check the results and if it fails. Send me the report of authentication.
Also would recommend to upgrade ACS to some latest code.
Regards
Gagan
PS : rate if it helps!!!!
02-20-2017 06:33 AM
Thanks for your reply Gagan,
I had disabled Default Network Device but the authentication didn't work till I re-enabled the Default Network Device.
I also tried to change the IP Address I used to add the device to the ACS. I used other interfaces' IP Addresses (just in case the ACS is seeing a different IP Address from the device in the TACACS+ messages). I also tried a loopback IP Address on the device but none worked.
Please see attached authentication report.
Note: I'm using GUI so I just did a screen capture of the successful and unsuccessful ones. The screen is also too wide for capture so I captured as left and right sides). Let me know if this suffices or if you want me to collect from CLI (Do let me know the actual log file to send if so).
Thanks again!
02-20-2017 08:21 AM
With failed report, it says shell profile is deny access.
Please check and send the Authz policy screenshot. Looks to me, the rule doesn't seem to be correctly matching.
Regards
Gagan
02-24-2017 09:08 AM
Yes the rule is not matching because the device is still showing on the ACS as a "Default Network Device".
The rule is set to match if a device is in a particular location.
I have added this device to the ACS with its IP Address and specified its location (same as in the rule) but the device still registers to the ACS under "Default Network Device"
Please see attached.
02-25-2017 11:24 AM
Can you please send the complete report by click on Magnifying glass.
It's ACS 5.3, not sure if we have option of taking it in pdf format.
02-27-2017 12:21 AM
Good morning Gagan,
I clicked on the magnifying glass and saw in the detailed log that the IP Address the ACS was seeing was different from the one I had specified for the device.
I changed it and it worked.
Thanks a million for your help and guidance.
02-27-2017 06:30 PM
Your welcome :)
Thanks for choosing Cisco!!!
02-02-2018 01:47 AM - edited 02-02-2018 01:47 AM
To avoid such issues use "ip tacacs source-interface ifname" command in the global config or in the aaa server group. This will tell to device what interface (and ip address) to use as a source of tacacs traffic communication.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide