ACS 4.0 and CNA 5.0

Unanswered Question
Apr 11th, 2007
User Badges:

I have cisco ACS 4.0 running and it works nicely, but when i try to access the devices using Cisco Network Assitant 5.0 i get a continuous prompt as if my account isn't being authenticated. the account that i'm using has level 15 privilege on all devices on the network and if i use it to telnet into the devices all works well. any ideas that help me to resolve this issue would be greatly appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Craig Balfour Thu, 04/12/2007 - 01:56
User Badges:
  • Bronze, 100 points or more

Cisco Network Assistant (CNA) uses the switches web interface to communicate with the switch, so the first step is to confirm that you can authenticate successfully with the switches web interface by pointing your web browser at the switches IP address.


If the authentication fails your problem is most likely that the authentication for the http or https service on the device is not correctly setup.


To fix this do the following:


ip http authentication aaa

ip http server


This will configure the http service to use your AAA settings to for its authentication.



Vivek Santuka Thu, 04/12/2007 - 05:43
User Badges:
  • Cisco Employee,

Hi,


I would also suggest adding :-


"aaa authorization exec default group tacacs+ local" on all devices and give the user "Privilege Level" 15 on ACS.


Regards,

Vivek

pacsniffing Thu, 04/12/2007 - 06:11
User Badges:

Thanks for both suggestions, will try them out today. please find blow the config that i have on the devices:

aaa new-model

aaa authentication banner ^CCC Unauthorized use is Prohibited ^C

aaa authentication fail-message ^CCC Failed Login ^C

aaa authentication login default group tacacs+ local none

aaa authentication enable default group tacacs+ line enable none

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+


i removed the none from behind local in the event that the server should become inaccessible and added a local user with level 15 privileges, but when i disconnected the switch from the network to test i was unable to access, kept getting an authentication failure error. thanks in advance for all your help.

Actions

This Discussion