This document provides an example of TACACS+ authentication and authorization on NCS prime 1.1.
Ensure that you meet these requirements before you attempt this configuration:
Define NCS as a client in ACS.
Define the IP address and an identical shared secret key on the ACS and NCS.
The information in this document is based on these software and hardware versions:
NCS prime 1.1
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Step 2 From the left sidebar menu, choose TACACS+. The TACACS+ page appears
Step 3 The TACACS+ page shows the IP address, port, retransmit rate, and authentication type.
Step 4 Add the IP address of the ACS server.
Step 5 Enter the TACACS+ shared secret used by ACS server.
Step 6 Reenter the shared secret in the Confirm Shared Secret text box.
Leave rest as default.
Step 7 Click Submit.
AAA Mode Settings
To choose a AAA mode, follow these steps:
Step 1 Choose Administration > AAA.
Step 2 Choose AAA Mode from the left sidebar menu. The AAA Mode Settings page appears
Step 3 Select Tacacs
Step 4 Select the Enable Fallback to Local check box if you want the administrator to use the local database when the external AAA server (ACS) is down.This way we won't be locked out incase of tacacs failure. Once all is working you can always change this option later.
ACS 5.x Configuration
Complete these steps:
We need to push the attribute from the ACS.
WCS will have those attributes.
Go to “Groups” (still under Administration->AAA).
You will see the list of user types. Since we are looking to authenticate Adminstrator, check the line of the “Admin” group. On the right you will see a link called “task list”. Click on it”
5.export those attributes and save it in your desktop.
6.Navigate to Policy Elements > Authentication and Permissions > Device Administration > Shell Profiles in order to create a Shell Profile.
7.Name it NCS.
8.Under the Custom Attributes tab, enter these values: (I have added four, you need to add all the values fo the admin role). If you are return a recent release of WCS, you will also have to tell in which Virtual Domain the user will be. Thats why i have added the aditional attribute "Virtual-domain".
9.Submit the changes in order to create an attribute-based role for the NCS
10. Go to Access Service> default device admin> Identity> select the Internal users.
11.Create a new authorization rule, or edit an existing rule, in the correct access policy. By default, TACACS+ requests are processed by the Default Device Admin access policy.
12.In the Conditions area, choose the appropriate conditions. In the Results area, choose the NCS shell profile.
13. Click Ok.
use ACS 5.4 it has "Bulk Edit" option.
This allows you to copy paste the entire list, rather than putting each one manually.
Login to NCS and you should get Admin role.
If you are unable to login to the device, go to ACS> reports and monitoring > Catalog>AAA protocols> Tacacs authentication> select the failed authentication > click on details to know the reason. or open case with TAC to get the assistance
Please post comments if there are any queries and rate if useful
Hi,i try to setup FlexVPN for anyconnect to a isr4331 headend.I can successfully connect, and build a IKEv2 based tunnel. Then anyconnect pops up the following error: Failed to get configuration from secure gateway. Contact your system adm...
Good morning from GreeceDue to lack of major VPN Concentrator Appliances, we are using 4 X 886 with WEB SSL configurations and NAP Radius for 40 remote workers using Anyconnect clients. None of the solutions that exist in the current forum, was fitte...
Hi All; I've been having issues with GPRS connections in India from Digi WR21 routers to an ISR4431 running Cisco IOS XE Software, Version 16.08.01. As such, I've been sleeping with RFC5996 under my pillow and have noticed a few anomalies. See t...
I'm struggling to find information on how to apply a service-policy to an Internet connected interface on an FTD1010. Cisco docs indicate this is possible by setting up a QoS policy within an FMC, however I don't have access to one to do this. ...
Hi everyone I need a little help with NAT on FTDI'v been searching since yesterday but I had no luck finding some infosWhat is the correct way to populate the configuration form for this scenario? Please see attached imagesFigure 8 Static NAT with P...