cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4467
Views
15
Helpful
7
Comments
minkumar
Level 1
Level 1

     

     

    Introduction

    This document provides an example of TACACS+ authentication  and authorization on NCS prime 1.1.

    Requirements

    Ensure that you meet these requirements before you attempt this configuration:

    • Define NCS as a client in ACS.
    • Define the IP address and an identical shared secret key on the ACS and NCS.

    Components Used

    The information in this document is based on these software and hardware versions:

    • ACS 5.4
    • NCS prime 1.1

    The information in this document was created from the devices in a  specific lab environment. All of the devices used in this document  started with a cleared (default) configuration. If your network is live,  make sure that you understand the potential impact of any command.

    Conventions

    Refer to the Cisco Technical Tips Conventions for more information on document conventions.

    Configuration

    In this section, you are presented with the information to configure the features described in this document.

    Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.

    Configuration on NCS

    Adding ACS as a Tacacs server:

    Step 1 Choose Administration > AAA.

    Step 2 From the left sidebar menu, choose TACACS+. The TACACS+ page appears

    NCS.jpg

    Step 3 The TACACS+ page shows the IP address, port, retransmit rate, and authentication type.

    Step 4 Add the IP address of the ACS server.

    Step 5 Enter the TACACS+ shared secret used by ACS server.

    Step 6 Reenter the shared secret in the Confirm Shared Secret text box.

    Leave rest as default.

    Step 7 Click Submit.

    AAA Mode Settings

    To choose a AAA mode, follow these steps:

    Step 1 Choose Administration > AAA.

    Step 2 Choose AAA Mode from the left sidebar menu. The AAA Mode Settings page appears

    AAA-1.jpg

    Step 3 Select  Tacacs

    Step 4 Select the Enable Fallback to Local check  box if you want the administrator to use the local database when the  external AAA server (ACS) is down.This way we won't be locked out incase  of  tacacs failure. Once all is working you can always change this  option later.

    ACS 5.x Configuration

    Complete these steps:

    1. We need to push the attribute from the ACS.
    2. WCS will have those attributes.
    3. Go to “Groups” (still under Administration->AAA).
    4. You will see the list of user types. Since we are looking to  authenticate Adminstrator, check the line of the “Admin” group. On the  right you will see a link called “task list”. Click on it”

    user group.jpg

    ncs attr.jpg

    5.export those attributes and save it in your desktop.

    6.Navigate to Policy Elements > Authentication and Permissions > Device Administration > Shell Profiles in order to create a Shell Profile.

    7.Name it NCS.

    NCS1.jpg8.Under  the Custom Attributes tab, enter these values: (I have added four, you  need to add all the values fo the admin role). If you are return a  recent release of WCS, you will also have to tell in which Virtual  Domain the user will be. Thats why i have added the aditional attribute  "Virtual-domain".

    SHELL.jpg

    9.Submit the changes in order to create an attribute-based role for the NCS

    10. Go to Access Service> default device admin> Identity> select the Internal users.

    INTERNAL.jpg

    11.Create a new authorization rule, or edit an existing rule, in the  correct access policy. By default, TACACS+ requests are processed by the  Default Device Admin access policy.

    authorization.jpg

    12.In the Conditions area, choose the appropriate conditions. In the Results area, choose the NCS shell profile.

    13. Click Ok.

    More Information

    use ACS 5.4 it has "Bulk Edit" option.

    This allows you to copy paste the entire list, rather than putting each one manually.

    Verify

    Login to NCS and you should get Admin role.

    Troubleshooting

    If you are unable to login to the device, go to ACS>  reports and monitoring > Catalog>AAA protocols> Tacacs  authentication> select the failed authentication > click on  details to know the reason. or open case with TAC to get the assistance

    Please post comments if there are any queries and rate if useful

    Comments
    Christian Maier
    Level 1
    Level 1

    Step 8:
    in Order to find the correct Domain Syntax you can click on "click here." at the very bottom of custom attributes list.

    --> Thank you very much for your GREAT Help!

    minkumar
    Level 1
    Level 1

    Hi Christian,

       Did you mean you want to change the value of Virtual domain attribute in ACS?

    Regards

    Minakshi (Do rate helpful posts )

    cory frey
    Community Member

    Is there a way to add all the attributes as a batch or do they have to be entered one at a time? If I am doing this for every attribute I will have to enter over 150 one at a time.

    minkumar
    Level 1
    Level 1

    Hi Cory,

      Unfortunately, You will have to add it one by one.

    Minakshi

    edwjames
    Level 3
    Level 3

    There is a correction in this:

    The NCS has virtual-domain0=ROOT-DOMAIN

    This can be found under Administration-->Virtual Domains-->Export.

    ropavith
    Cisco Employee
    Cisco Employee

    @ Minkumar and Cory, use ACS 5.4 it has "Bulk Edit" option.

    This allows you to copy paste the entire list, rather than putting each one manually.

    [[{"fid":"962061","view_mode":"default","fields":{"format":"default","field_file_image_alt_text[und][0][value]":"ACS 5.4 attributes import for prime","field_file_image_title_text[und][0][value]":"ACS 5.4 attributes import for prime","field_media_description[und][0][value]":"ACS 5.4 attributes import for prime"},"type":"media","attributes":{}}]]

    ropavith
    Cisco Employee
    Cisco Employee

    @ Minkumar and Cory, use ACS 5.4 it has "Bulk Edit" option.

    This allows you to copy paste the entire list, rather than putting each one manually.

    Getting Started

    Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: