This document provides an example of TACACS+ authentication and authorization on NCS prime 1.1.
Ensure that you meet these requirements before you attempt this configuration:
Define NCS as a client in ACS.
Define the IP address and an identical shared secret key on the ACS and NCS.
The information in this document is based on these software and hardware versions:
NCS prime 1.1
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Step 2 From the left sidebar menu, choose TACACS+. The TACACS+ page appears
Step 3 The TACACS+ page shows the IP address, port, retransmit rate, and authentication type.
Step 4 Add the IP address of the ACS server.
Step 5 Enter the TACACS+ shared secret used by ACS server.
Step 6 Reenter the shared secret in the Confirm Shared Secret text box.
Leave rest as default.
Step 7 Click Submit.
AAA Mode Settings
To choose a AAA mode, follow these steps:
Step 1 Choose Administration > AAA.
Step 2 Choose AAA Mode from the left sidebar menu. The AAA Mode Settings page appears
Step 3 Select Tacacs
Step 4 Select the Enable Fallback to Local check box if you want the administrator to use the local database when the external AAA server (ACS) is down.This way we won't be locked out incase of tacacs failure. Once all is working you can always change this option later.
ACS 5.x Configuration
Complete these steps:
We need to push the attribute from the ACS.
WCS will have those attributes.
Go to “Groups” (still under Administration->AAA).
You will see the list of user types. Since we are looking to authenticate Adminstrator, check the line of the “Admin” group. On the right you will see a link called “task list”. Click on it”
5.export those attributes and save it in your desktop.
6.Navigate to Policy Elements > Authentication and Permissions > Device Administration > Shell Profiles in order to create a Shell Profile.
7.Name it NCS.
8.Under the Custom Attributes tab, enter these values: (I have added four, you need to add all the values fo the admin role). If you are return a recent release of WCS, you will also have to tell in which Virtual Domain the user will be. Thats why i have added the aditional attribute "Virtual-domain".
9.Submit the changes in order to create an attribute-based role for the NCS
10. Go to Access Service> default device admin> Identity> select the Internal users.
11.Create a new authorization rule, or edit an existing rule, in the correct access policy. By default, TACACS+ requests are processed by the Default Device Admin access policy.
12.In the Conditions area, choose the appropriate conditions. In the Results area, choose the NCS shell profile.
13. Click Ok.
use ACS 5.4 it has "Bulk Edit" option.
This allows you to copy paste the entire list, rather than putting each one manually.
Login to NCS and you should get Admin role.
If you are unable to login to the device, go to ACS> reports and monitoring > Catalog>AAA protocols> Tacacs authentication> select the failed authentication > click on details to know the reason. or open case with TAC to get the assistance
Please post comments if there are any queries and rate if useful
I have this FirePower that continously power cycles am not sure what has failed I have tried software recovery but which worked but after reboot, It still power Cycled.I cleaned the the file system as per cisco documentation with init system command now t...
Hi, we want to attach a header to our mails with the attached mime-types. In the Content-Filter/Action Variables documentation section we found a list of possible variables. The "filetypes" variable sounded very promising: File Types$filetypesRe...
When connecting directly to console on an ISE 3655, it is showing non-readable characters.
Customer is using Putty and baud rate is set to 9600, it is a new node, it has never worked before.
Please see error attached.
Can it be a hard...
Folks,We have to work on a rebuild the SNS 3515 by installing the 2.3 version from the existing 2.4 version. This is a new install and the devices got shipped with the 2.4 version. We went through some documentation in the below link:https://ww...
in this picture , we are seeing a scenario for ASA firewall . i'm gana ask a question for youe.. can we have one ip address with two mac-address on outbound interface ? if the answer is positive , how?there are two context , ctx1 and ctx2 on firewall .&nb...