Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1018
Views
0
Helpful
1
Replies

Integrating Cisco ACS 5.3 and RSA Manager

Ramraj Sivagnanam Sivajanam
Level 4
Level 4

‎07-31-2012 08:19 AM - edited ‎03-10-2019 07:21 PM

Hi There

What I would like to achieve is when ever a user telnet/ssh into a network equipment, the username should come from the ACS and the password should be via RSA token. I know there's 2 methods to do this i.e. SECUREID NATIVE and RADIUS, and I have chosen the RADIUS method.

Here's my problem so far, when a user telnet/ssh into a network equipment and keys in the username and RSA token, as the password, I get an error message "Authorization Failed". However, if i were to use a username and a password created internally in the ACS, all is good. I believe the RSA Manager is not returning me priv-lvl=15. I also believe in order to resolve this issue, I need to put in the RADIUS VSA Attributes into the ACS, but I don't know the RADIUS Attributes. Can someone assist me please.

Basically, what's the vsa attribute name and value Cisco is expecting for an admin user with privilege 15?

SW_6#show logging
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
    Console logging: level debugging, 3019 messages logged
    Monitor logging: level debugging, 0 messages logged
    Buffer logging: level debugging, 3019 messages logged
    Exception Logging: size (4096 bytes)
    File logging: disabled
    Trap logging: level notifications, 2781 message lines logged
        Logging to 10.208.12.249, 2781 message lines logged

Log Buffer (4096 bytes):

5w1d: AAA/AUTHOR/TAC+: (1009591091): send AV cmd-arg=logging
5w1d: AAA/AUTHOR/TAC+: (1009591091): send AV cmd-arg=<cr>
5w1d: AAA/AUTHOR (1009591091): Post authorization status = PASS_ADD
5w1d: tty2 AAA/AUTHOR/EXEC (519064772): Port='tty2' list='' service=EXEC
5w1d: AAA/AUTHOR/EXEC: tty2 (519064772) user='netadmin3'
5w1d: tty2 AAA/AUTHOR/EXEC (519064772): send AV service=shell
5w1d: tty2 AAA/AUTHOR/EXEC (519064772): send AV cmd*
5w1d: tty2 AAA/AUTHOR/EXEC (519064772): found list "default"
5w1d: tty2 AAA/AUTHOR/EXEC (519064772): Method=tacacs+ (tacacs+)
5w1d: AAA/AUTHOR/TAC+: (519064772): user=netadmin3
5w1d: AAA/AUTHOR/TAC+: (519064772): send AV service=shell
5w1d: AAA/AUTHOR/TAC+: (519064772): send AV cmd*
5w1d: AAA/AUTHOR (519064772): Post authorization status = FAIL
5w1d: AAA/AUTHOR/EXEC: Authorization FAILED
5w1d: AAA/MEMORY: free_user (0x80CF711C) user='netadmin3' ruser='' port='tty2' rem_addr='10.208.10.191' authen_type=ASCII service=LOGIN priv=1

Warm regards,
Ramraj Sivagnanam Sivajanam
Labels:
0 Helpful
1 Reply 1

Tarik Admani
VIP Alumni
VIP Alumni

‎07-31-2012 09:05 AM

Ramraj,

I dont think you can proxy a tacacs authentication request against a radius server. I dont recall seeing that as being an option.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/common_scenarios.html#wp1153241

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents