how do I create a default account with an ACS Server

Unanswered Question
Jun 13th, 2007

Has anyone seen this. I have an ACS Solution engine appliance with Several devices using it for authentication and accounting. It all seems to work great.

When I add a new device (router or switch) i noticed that it will let me login via the acs based authentication even before i even setup the aaa-client account for this device in the acs appliance. I do have the tacacs key and all the appropriate information on the router or switch but i dont have an entry for it in the acs appliance yet. This has puzzled me Where is this default account setup. I have another ACS server (Windows Based) It seems to have a completely different behavior when it encounters an unconfigured AAA-client compared to the ACS Appliance. Can anyone tell me how to configure the ACS server to do the same and where these configuration options exist?

This really concerns me from a security perspective.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
darpotter Thu, 06/14/2007 - 02:58

Hmm, ACS should not (by default) accept traffic from any old device.

Could it be you have a wild-card IP Addr in your ACS network config somewhere that accidentally includes the new device?

Or possibly a DNS name (instead of an IP Addr) that resolves to the address of the new device?

Try changing the shared secret in the device - you should find you get errors in the Failed Attempts Log.

Also check the Passed Authenications report as this included the ACS network config device name in the Access-Device column.

Patrick.Beaven Thu, 06/14/2007 - 05:22

You're right, If i change the tacacs key it fails but there is not dns or wildcard entry for this in the acs server. This occurs every time I add any router or switch to my network.

I thought at first that its because the ACS sits on another segment of the network and its being natted but that is not the case for several of my remote routers. I will continue to look around and try to identify the issue.

Any other ideas or areas to look are appreciated.


Look in your authentication logs and see what profile group is granting access. I experienced a similar issue with the windows server version. My issue was that I had devices without defined authentication profiles being authenticated. It turns out that I had a blank space preceeding the IP address for one profile and as soon as I removed it, it stopped blanket authenticating anything with the shared key with or without an ACS profile.

Patrick.Beaven Thu, 06/14/2007 - 05:56

I found the AAA-client profile called others and referenced it in the passed authentications log. This is the issue. I removed the AAA-client others and problem solved! Apparently this is some optional client configuration that can be put in place to eliminate failed authentications on new equipment that have not been correctly entered into the ACS server!



This Discussion