This document provides an example of TACACS+ authentication and authorization on NCS prime 1.1.
Ensure that you meet these requirements before you attempt this configuration:
Define NCS as a client in ACS.
Define the IP address and an identical shared secret key on the ACS and NCS.
The information in this document is based on these software and hardware versions:
NCS prime 1.1
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Step 2 From the left sidebar menu, choose TACACS+. The TACACS+ page appears
Step 3 The TACACS+ page shows the IP address, port, retransmit rate, and authentication type.
Step 4 Add the IP address of the ACS server.
Step 5 Enter the TACACS+ shared secret used by ACS server.
Step 6 Reenter the shared secret in the Confirm Shared Secret text box.
Leave rest as default.
Step 7 Click Submit.
AAA Mode Settings
To choose a AAA mode, follow these steps:
Step 1 Choose Administration > AAA.
Step 2 Choose AAA Mode from the left sidebar menu. The AAA Mode Settings page appears
Step 3 Select Tacacs
Step 4 Select the Enable Fallback to Local check box if you want the administrator to use the local database when the external AAA server (ACS) is down.This way we won't be locked out incase of tacacs failure. Once all is working you can always change this option later.
ACS 5.x Configuration
Complete these steps:
We need to push the attribute from the ACS.
WCS will have those attributes.
Go to “Groups” (still under Administration->AAA).
You will see the list of user types. Since we are looking to authenticate Adminstrator, check the line of the “Admin” group. On the right you will see a link called “task list”. Click on it”
5.export those attributes and save it in your desktop.
6.Navigate to Policy Elements > Authentication and Permissions > Device Administration > Shell Profiles in order to create a Shell Profile.
7.Name it NCS.
8.Under the Custom Attributes tab, enter these values: (I have added four, you need to add all the values fo the admin role). If you are return a recent release of WCS, you will also have to tell in which Virtual Domain the user will be. Thats why i have added the aditional attribute "Virtual-domain".
9.Submit the changes in order to create an attribute-based role for the NCS
10. Go to Access Service> default device admin> Identity> select the Internal users.
11.Create a new authorization rule, or edit an existing rule, in the correct access policy. By default, TACACS+ requests are processed by the Default Device Admin access policy.
12.In the Conditions area, choose the appropriate conditions. In the Results area, choose the NCS shell profile.
13. Click Ok.
use ACS 5.4 it has "Bulk Edit" option.
This allows you to copy paste the entire list, rather than putting each one manually.
Login to NCS and you should get Admin role.
If you are unable to login to the device, go to ACS> reports and monitoring > Catalog>AAA protocols> Tacacs authentication> select the failed authentication > click on details to know the reason. or open case with TAC to get the assistance
Please post comments if there are any queries and rate if useful
Hi, Can someone help me understand the effect of implementing metric in the address family ipv4 rather than in a specific interface.Please see below config for reference. router isis 123is-type level-2-onlynet xx.xxxx.xxxx.xxxx.xxxx.xxnsf ietflo...
Hello!As a pandemic consequence most users are working remotely and they are connected by VPN remote access.Another consequence are the increasing number of tickets from users claim about quality of their VPN connections.Have anyone had already deploy som...
The purpose of this document is to demonstrate how ISE authenticate / authorize a user that uses a smart card (PIN + Certificate) and password mechanism to login their system. This document describes the components used for this setup, configuration of IS...
Hello,We have just upgraded FTD 2110 firewall to firmware version 6.6.1. Since the AC element count is 800k, FMC shows a warning message "the number of access list elements generated for the access control policy exceeds the limit for this platform", sugg...
So I have come to learn that AMP doesn't have features that I am accustom to. Is there a way, beside creating more policies, to apply an exclusion to a single system? I am needing to create a 5 separate exclusion for my backup software. The machine f...