Can Cisco Device Manager Support ACS Authentication?

Unanswered Question
Jun 28th, 2007

Background:


My company has approximately 500+ devices all across the country (mainly 2801's, 2924's, 2950's, and 2960's) and approx 3 people that have a real idea of how to configure the devices, and 2 or 3 that have a general clue about how to do it. I am in the process of moving all of these devices to use ACS authentication for signing into the device. While I am doing this I am establishing a strong password for the secret password to provide as a backup.


Problem:

My supervisor would like the cisco device manager to be available to the people that don't have the in depth cli experience. However in my testing, it will only accept the strong password for its authentication, and does not try the ACS server for authentication. Is this possible?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
rochopra Thu, 06/28/2007 - 11:07

Hi


This is possible by using the following commands :


aaa new-model

aaa authentication login default group tacacs local

aaa authorization exec default group tacacs if-authenticated


tacacs-server host key


ip http server

ip http authentication aaa


On ACS

Create user

Enable Shell (exec)

Privilege level = 15


Following link can help you configure this.


http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a0080178a51.shtml#tac


Hope this helps.


Regards

Rohit

pugs17211721 Thu, 06/28/2007 - 11:35

Thanks for the link. However I still am unable to get it to work.


When I log into my ACS server I can see the successful authentications. However I am still not able to access the CDM. It keeps re-prompting me to sign in, and then after 3 attemps its fail.


Here is a copy of a show run | inc aaa


NBOH-2940-001-IS#show run | inc aa

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default if-authenticated

ip http authentication aaa



Premdeep Banga Fri, 06/29/2007 - 15:16

Hi,


Actually, there is a difference as from where the authentication is picked from for HTTP authentication,


With HTTP v1 server, same method list is picked, that is used by VTY lines.


With HTTP v1.1 server, but before the integration of fix for bug CSCeb82510, the method list defined for console is checked.


After the fix of the above mentioned bug, we have some different sent of commands that we can use.


I would suggest you to give this a try,


aaa authentication login CONSOLEandHTTP tacacs+ local

aaa authorization exec CONSOLEandHTTP if-authenticated

!

ip http authentication aaa

!

line con 0

login authentication CONSOLEandHTTP

authorization exec CONSOLEandHTTP


For detail please refer,

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008069bdc5.shtml


Regards,

Prem

Actions

This Discussion