Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Can Cisco Device Manager Support ACS Authentication?

Unanswered Question
Jun 28th, 2007
User Badges:


My company has approximately 500+ devices all across the country (mainly 2801's, 2924's, 2950's, and 2960's) and approx 3 people that have a real idea of how to configure the devices, and 2 or 3 that have a general clue about how to do it. I am in the process of moving all of these devices to use ACS authentication for signing into the device. While I am doing this I am establishing a strong password for the secret password to provide as a backup.


My supervisor would like the cisco device manager to be available to the people that don't have the in depth cli experience. However in my testing, it will only accept the strong password for its authentication, and does not try the ACS server for authentication. Is this possible?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
rochopra Thu, 06/28/2007 - 11:07
User Badges:
  • Cisco Employee,


This is possible by using the following commands :

aaa new-model

aaa authentication login default group tacacs local

aaa authorization exec default group tacacs if-authenticated

tacacs-server host key

ip http server

ip http authentication aaa


Create user

Enable Shell (exec)

Privilege level = 15

Following link can help you configure this.


Hope this helps.



pugs17211721 Thu, 06/28/2007 - 11:35
User Badges:

Thanks for the link. However I still am unable to get it to work.

When I log into my ACS server I can see the successful authentications. However I am still not able to access the CDM. It keeps re-prompting me to sign in, and then after 3 attemps its fail.

Here is a copy of a show run | inc aaa

NBOH-2940-001-IS#show run | inc aa

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default if-authenticated

ip http authentication aaa

Premdeep Banga Fri, 06/29/2007 - 15:16
User Badges:
  • Gold, 750 points or more


Actually, there is a difference as from where the authentication is picked from for HTTP authentication,

With HTTP v1 server, same method list is picked, that is used by VTY lines.

With HTTP v1.1 server, but before the integration of fix for bug CSCeb82510, the method list defined for console is checked.

After the fix of the above mentioned bug, we have some different sent of commands that we can use.

I would suggest you to give this a try,

aaa authentication login CONSOLEandHTTP tacacs+ local

aaa authorization exec CONSOLEandHTTP if-authenticated


ip http authentication aaa


line con 0

login authentication CONSOLEandHTTP

authorization exec CONSOLEandHTTP

For detail please refer,





This Discussion