This document provides an example of TACACS+ authentication and authorization on NCS prime 1.1.
Ensure that you meet these requirements before you attempt this configuration:
Define NCS as a client in ACS.
Define the IP address and an identical shared secret key on the ACS and NCS.
The information in this document is based on these software and hardware versions:
NCS prime 1.1
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Step 2 From the left sidebar menu, choose TACACS+. The TACACS+ page appears
Step 3 The TACACS+ page shows the IP address, port, retransmit rate, and authentication type.
Step 4 Add the IP address of the ACS server.
Step 5 Enter the TACACS+ shared secret used by ACS server.
Step 6 Reenter the shared secret in the Confirm Shared Secret text box.
Leave rest as default.
Step 7 Click Submit.
AAA Mode Settings
To choose a AAA mode, follow these steps:
Step 1 Choose Administration > AAA.
Step 2 Choose AAA Mode from the left sidebar menu. The AAA Mode Settings page appears
Step 3 Select Tacacs
Step 4 Select the Enable Fallback to Local check box if you want the administrator to use the local database when the external AAA server (ACS) is down.This way we won't be locked out incase of tacacs failure. Once all is working you can always change this option later.
ACS 5.x Configuration
Complete these steps:
We need to push the attribute from the ACS.
WCS will have those attributes.
Go to “Groups” (still under Administration->AAA).
You will see the list of user types. Since we are looking to authenticate Adminstrator, check the line of the “Admin” group. On the right you will see a link called “task list”. Click on it”
5.export those attributes and save it in your desktop.
6.Navigate to Policy Elements > Authentication and Permissions > Device Administration > Shell Profiles in order to create a Shell Profile.
7.Name it NCS.
8.Under the Custom Attributes tab, enter these values: (I have added four, you need to add all the values fo the admin role). If you are return a recent release of WCS, you will also have to tell in which Virtual Domain the user will be. Thats why i have added the aditional attribute "Virtual-domain".
9.Submit the changes in order to create an attribute-based role for the NCS
10. Go to Access Service> default device admin> Identity> select the Internal users.
11.Create a new authorization rule, or edit an existing rule, in the correct access policy. By default, TACACS+ requests are processed by the Default Device Admin access policy.
12.In the Conditions area, choose the appropriate conditions. In the Results area, choose the NCS shell profile.
13. Click Ok.
use ACS 5.4 it has "Bulk Edit" option.
This allows you to copy paste the entire list, rather than putting each one manually.
Login to NCS and you should get Admin role.
If you are unable to login to the device, go to ACS> reports and monitoring > Catalog>AAA protocols> Tacacs authentication> select the failed authentication > click on details to know the reason. or open case with TAC to get the assistance
Please post comments if there are any queries and rate if useful
Hello We are planning the migration of an ASA5540 to a Firepower 2110.The new implementation will use AnyConnect for remote access and ISE will be used as RADIUS server.The module NAM in anyconnect is compatible with Firepower versión 6.2.x? Accordin...
I'm using an ACL to limit access for one of my anyconnect users. The ACL does it's job and restricts the user from being able to connect to anything but the permitted IPs. However, once the user connects to a permitted server, they can then ssh to other s...
Hi Everyone, I would like to know if any of you have experience on deploying FTD or ASA in Google Cloud Platform or eventually what is Cisco's offer in terms of Firewall in cloud infrastructure. In case I would appreciate any suggestion on the d...
hello everyone, Would anyone be able to offer some info on how to do this, so that we can enforce users to use the Cisco AnyConnect VPN client instead using the built-in Mac IPSec VPN option to VPN in. Any info would greatly be appreciated, tha...
Hi all - I have "inherited" some items that look like they need to be upgraded. I've read through the upgrade guides, etc but wanted to make sure I am not missing anything. I need to get my virtual FMC from 6.0.1 -> 6.1.0 -> 6.4.0 Can I pe...