Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
449
Views
0
Helpful
4
Replies

how do I create a default account with an ACS Server

Patrick.Beaven
Level 1
Level 1

‎06-13-2007 12:06 PM - edited ‎03-10-2019 03:12 PM

Has anyone seen this. I have an ACS Solution engine appliance with Several devices using it for authentication and accounting. It all seems to work great.

When I add a new device (router or switch) i noticed that it will let me login via the acs based authentication even before i even setup the aaa-client account for this device in the acs appliance. I do have the tacacs key and all the appropriate information on the router or switch but i dont have an entry for it in the acs appliance yet. This has puzzled me Where is this default account setup. I have another ACS server (Windows Based) It seems to have a completely different behavior when it encounters an unconfigured AAA-client compared to the ACS Appliance. Can anyone tell me how to configure the ACS server to do the same and where these configuration options exist?

This really concerns me from a security perspective.

Labels:
0 Helpful
4 Replies 4

darpotter
Level 5
Level 5

‎06-14-2007 02:58 AM

Hmm, ACS should not (by default) accept traffic from any old device.

Could it be you have a wild-card IP Addr in your ACS network config somewhere that accidentally includes the new device?

Or possibly a DNS name (instead of an IP Addr) that resolves to the address of the new device?

Try changing the shared secret in the device - you should find you get errors in the Failed Attempts Log.

Also check the Passed Authenications report as this included the ACS network config device name in the Access-Device column.

0 Helpful

Patrick.Beaven
Level 1
Level 1
In response to darpotter

‎06-14-2007 05:22 AM

You're right, If i change the tacacs key it fails but there is not dns or wildcard entry for this in the acs server. This occurs every time I add any router or switch to my network.

I thought at first that its because the ACS sits on another segment of the network and its being natted but that is not the case for several of my remote routers. I will continue to look around and try to identify the issue.

Any other ideas or areas to look are appreciated.

Thanks,

0 Helpful

akemp
Level 5
Level 5
In response to Patrick.Beaven

‎06-14-2007 05:34 AM

Look in your authentication logs and see what profile group is granting access. I experienced a similar issue with the windows server version. My issue was that I had devices without defined authentication profiles being authenticated. It turns out that I had a blank space preceeding the IP address for one profile and as soon as I removed it, it stopped blanket authenticating anything with the shared key with or without an ACS profile.

0 Helpful

Patrick.Beaven
Level 1
Level 1
In response to akemp

‎06-14-2007 05:56 AM

I found the AAA-client profile called others and referenced it in the passed authentications log. This is the issue. I removed the AAA-client others and problem solved! Apparently this is some optional client configuration that can be put in place to eliminate failed authentications on new equipment that have not been correctly entered into the ACS server!

Thanks,

0 Helpful
Customers Also Viewed These Support Documents