can i use same AAA server in different NDG group for AAA clients?

Unanswered Question
Feb 7th, 2007

Hi,

i am running, cisco ACS 4.1(90 days trail version), in that i have created a NDG, named as "EdgeSwitches", inside to that groupi hav added AAA clients as the switches ip address which ever i require, in that i can see AAA server, also named as "cisco-acs" & the ip address "10.1.1.1". now again i wanted to added a a different NDG named as "ServerSwitchs", i am adding the switches which ever is required to be in this group, now when i add AAA server & specify the same AAA server name as "cisco-acs" with the ip address "10.1.1.1"

, i get the error "Host Already Exists" then if i change the name as cisco-acs as cisco-acs1, i get "An overlapping IP range has been detected 10.203.1.92 conflicts with cisco-acs entry of 10.1.1.1"

, how do i over come with this? because i am planning in such a way that some set of users should access EdgeSwitches" & some of users should access "ServerSwitches" with the privilege levels as per my requirement.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
andreas.larsen@... Wed, 02/07/2007 - 04:24

Create usergroups. And assigned the user that you want to have access for ServerSwitches to the group ServerSwitches and the group Edgeswitches for the group Edgeswitches etc. Then you can assign privileges per NDG in the group section. Or you can assign privileges per user also if you like.

Anand S Wed, 02/07/2007 - 04:35

thanks for the reply, but if i create a new NDG, i need to specify the AAA server,so when i am trying to do that, i get the error message, which i have attached to this. if it is not specified, then the switches under this NDG group will not authenticate via TACACS+ of Cisco ACS.

royalblues Wed, 02/07/2007 - 05:13

Hi Anand,

You do not need to mention the AAA server for a diffrent NDG group.

Just define it for one NDG.

Add another NDG and add devices to it.

Configure the devices for AAA and you should

be good to go.

I have it running in my network.

HTH, rate if it does

Narayan

Attachment: 
Anand S Wed, 02/07/2007 - 05:34

Hi Narayan & Adreas,

Thanks for the reply, as u have suggested i tried the same, but it is not asking for the user name & password(from the ACS), it directly asks the switch local enable password? if i wanted the switch to prompt in for user name & password, i need to put that particular switch in NDG where AAA server is specified. :(

royalblues Wed, 02/07/2007 - 05:49

Hi Anand,

It may be a limitation on the Evaluation version :-)

Can you share the configs done on the router and the ACS?

Narayan

Anand S Wed, 02/07/2007 - 05:54

Thankz Naryan,

here is my config

aaa new-model

aaa authentication login default group tacacs+ enable local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

tacacs-server host 10.203.1.92 key checkingtheswitch

with this configuration i could able see the log activities etc..

all switches has got the same configuration & works fine, but only if i make 1 particular switch to a different NDG i am not getting the user name & passwd prompt.

royalblues Wed, 02/07/2007 - 06:05

can you post the output of debug aaa authentication

also can you look in the reports and activity tab and check the reason for failures

Narayan

Anand S Wed, 02/07/2007 - 06:48

Hi Narayan & Andreas,

i am extremely sorry, the only mistake i did is, while creating the new NDG group, key name between the switch & NDG key is different, that is the mistake i did, once again extremely sorry & thanks for your effort & quick response. small doubt, since i have added virtual IP in my windows 2000 server, i hav created a 2nd ACS AAA server(as the reason same ip address is not allowing when trying adding the new server, now it is not required as the problem which i hav identified the key mismatch), how i delete that, because i couldn't find the delete option

royalblues Wed, 02/07/2007 - 08:11

Anand,

I didn't get the question properly, do you want to delete the 2nd ACS server you configured?

Narayan

Anand S Wed, 02/07/2007 - 08:56

Yeah, i wanted to delete the 2 AAA server as show in the attachment(cisco-acs1 & MCR), because i couldn't see any deletion option.

Attachment: 
royalblues Wed, 02/07/2007 - 09:12

Anand,

Click on the specific Server and then you will find the delete button.

Narayan

royalblues Wed, 02/07/2007 - 10:03

On the main Tab how many NDGs & AAA servers you can see.

Are you able to see the delete buttton for other ACS servers

Narayan

Anand S Wed, 02/07/2007 - 23:51

find the attachment with this post for your reference, 1st attachment is the main page & the 2nd where i could see the 3 servers & the balance which i have sent yesterday.

Attachment: 

Actions

This Discussion