This document provides an example of TACACS+ authentication and authorization on NCS prime 1.1.
Ensure that you meet these requirements before you attempt this configuration:
Define NCS as a client in ACS.
Define the IP address and an identical shared secret key on the ACS and NCS.
The information in this document is based on these software and hardware versions:
NCS prime 1.1
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Step 2 From the left sidebar menu, choose TACACS+. The TACACS+ page appears
Step 3 The TACACS+ page shows the IP address, port, retransmit rate, and authentication type.
Step 4 Add the IP address of the ACS server.
Step 5 Enter the TACACS+ shared secret used by ACS server.
Step 6 Reenter the shared secret in the Confirm Shared Secret text box.
Leave rest as default.
Step 7 Click Submit.
AAA Mode Settings
To choose a AAA mode, follow these steps:
Step 1 Choose Administration > AAA.
Step 2 Choose AAA Mode from the left sidebar menu. The AAA Mode Settings page appears
Step 3 Select Tacacs
Step 4 Select the Enable Fallback to Local check box if you want the administrator to use the local database when the external AAA server (ACS) is down.This way we won't be locked out incase of tacacs failure. Once all is working you can always change this option later.
ACS 5.x Configuration
Complete these steps:
We need to push the attribute from the ACS.
WCS will have those attributes.
Go to “Groups” (still under Administration->AAA).
You will see the list of user types. Since we are looking to authenticate Adminstrator, check the line of the “Admin” group. On the right you will see a link called “task list”. Click on it”
5.export those attributes and save it in your desktop.
6.Navigate to Policy Elements > Authentication and Permissions > Device Administration > Shell Profiles in order to create a Shell Profile.
7.Name it NCS.
8.Under the Custom Attributes tab, enter these values: (I have added four, you need to add all the values fo the admin role). If you are return a recent release of WCS, you will also have to tell in which Virtual Domain the user will be. Thats why i have added the aditional attribute "Virtual-domain".
9.Submit the changes in order to create an attribute-based role for the NCS
10. Go to Access Service> default device admin> Identity> select the Internal users.
11.Create a new authorization rule, or edit an existing rule, in the correct access policy. By default, TACACS+ requests are processed by the Default Device Admin access policy.
12.In the Conditions area, choose the appropriate conditions. In the Results area, choose the NCS shell profile.
13. Click Ok.
use ACS 5.4 it has "Bulk Edit" option.
This allows you to copy paste the entire list, rather than putting each one manually.
Login to NCS and you should get Admin role.
If you are unable to login to the device, go to ACS> reports and monitoring > Catalog>AAA protocols> Tacacs authentication> select the failed authentication > click on details to know the reason. or open case with TAC to get the assistance
Please post comments if there are any queries and rate if useful
Good day! I have a problem with CISCO SASD Wall Launcher. In one workstation Wall Launcher closes every 2-3 or 4-5 minutes and appears 20-25 second later. What could cause this problem? Only 2-3 Workstation out of 11 behave like that. All 11 PC's has...
Hey all, I'm seeing an issue with one of our PSNs which has stopped serving TACACS authentication. PSN2 works fine PSN1 is sending a TCP reset. Running ISE 2.4 patch 7. PSN2telnet 22.214.171.124 49Trying 126.96.36.199, 49 ... Open PSN1telnet 188.8.131.52 49Trying...
Hey everyone, I ran into a weird issue yesterday on a ISE 2.4 patch 8 deployment in which ISE is (for some reason) trying to authenticate a domain computer (which is using EAP-TLS) as a domain user. The computers are configured to only use machine au...
Dear all. I configured url filtering and added -5 -3 (Custom Range) for Suspected url. But some emails (with legitimate urls inside it) get blocked by esa due to newly created suspected url content filter. Could you please tell me how can I see the e...
Good evening, I am a newbie and I am asking if someone can help me with two problems? I am having a headache trying to connect with the VPN client using the Outside interface and I am trying to access an internal host from the outside over AnyConnect...