02-07-2007 04:03 AM - edited 03-05-2019 02:12 PM
Hi,
i am running, cisco ACS 4.1(90 days trail version), in that i have created a NDG, named as "EdgeSwitches", inside to that groupi hav added AAA clients as the switches ip address which ever i require, in that i can see AAA server, also named as "cisco-acs" & the ip address "10.1.1.1". now again i wanted to added a a different NDG named as "ServerSwitchs", i am adding the switches which ever is required to be in this group, now when i add AAA server & specify the same AAA server name as "cisco-acs" with the ip address "10.1.1.1"
, i get the error "Host Already Exists" then if i change the name as cisco-acs as cisco-acs1, i get "An overlapping IP range has been detected 10.203.1.92 conflicts with cisco-acs entry of 10.1.1.1"
, how do i over come with this? because i am planning in such a way that some set of users should access EdgeSwitches" & some of users should access "ServerSwitches" with the privilege levels as per my requirement.
02-07-2007 04:24 AM
Create usergroups. And assigned the user that you want to have access for ServerSwitches to the group ServerSwitches and the group Edgeswitches for the group Edgeswitches etc. Then you can assign privileges per NDG in the group section. Or you can assign privileges per user also if you like.
02-07-2007 04:35 AM
thanks for the reply, but if i create a new NDG, i need to specify the AAA server,so when i am trying to do that, i get the error message, which i have attached to this. if it is not specified, then the switches under this NDG group will not authenticate via TACACS+ of Cisco ACS.
02-07-2007 05:13 AM
02-07-2007 05:19 AM
Indeed there is no need to add a seperate ACS for a diffrent group.
02-07-2007 05:34 AM
Hi Narayan & Adreas,
Thanks for the reply, as u have suggested i tried the same, but it is not asking for the user name & password(from the ACS), it directly asks the switch local enable password? if i wanted the switch to prompt in for user name & password, i need to put that particular switch in NDG where AAA server is specified. :(
02-07-2007 05:49 AM
Hi Anand,
It may be a limitation on the Evaluation version :-)
Can you share the configs done on the router and the ACS?
Narayan
02-07-2007 05:54 AM
Thankz Naryan,
here is my config
aaa new-model
aaa authentication login default group tacacs+ enable local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
tacacs-server host 10.203.1.92 key checkingtheswitch
with this configuration i could able see the log activities etc..
all switches has got the same configuration & works fine, but only if i make 1 particular switch to a different NDG i am not getting the user name & passwd prompt.
02-07-2007 06:00 AM
What does the log say in ACS when you try to logon to the switch/router.
02-07-2007 06:05 AM
can you post the output of debug aaa authentication
also can you look in the reports and activity tab and check the reason for failures
Narayan
02-07-2007 06:48 AM
Hi Narayan & Andreas,
i am extremely sorry, the only mistake i did is, while creating the new NDG group, key name between the switch & NDG key is different, that is the mistake i did, once again extremely sorry & thanks for your effort & quick response. small doubt, since i have added virtual IP in my windows 2000 server, i hav created a 2nd ACS AAA server(as the reason same ip address is not allowing when trying adding the new server, now it is not required as the problem which i hav identified the key mismatch), how i delete that, because i couldn't find the delete option
02-07-2007 08:11 AM
Anand,
I didn't get the question properly, do you want to delete the 2nd ACS server you configured?
Narayan
02-07-2007 08:56 AM
02-07-2007 09:12 AM
Anand,
Click on the specific Server and then you will find the delete button.
Narayan
02-07-2007 09:18 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: