Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
396
Views
9
Helpful
3
Replies

Can Cisco Device Manager Support ACS Authentication?

pugs17211721
Level 1
Level 1

‎06-28-2007 10:52 AM - edited ‎03-10-2019 03:14 PM

Background:

My company has approximately 500+ devices all across the country (mainly 2801's, 2924's, 2950's, and 2960's) and approx 3 people that have a real idea of how to configure the devices, and 2 or 3 that have a general clue about how to do it. I am in the process of moving all of these devices to use ACS authentication for signing into the device. While I am doing this I am establishing a strong password for the secret password to provide as a backup.

Problem:

My supervisor would like the cisco device manager to be available to the people that don't have the in depth cli experience. However in my testing, it will only accept the strong password for its authentication, and does not try the ACS server for authentication. Is this possible?

Labels:
0 Helpful
3 Replies 3

rochopra
Cisco Employee
Cisco Employee

‎06-28-2007 11:07 AM

Hi

This is possible by using the following commands :

aaa new-model

aaa authentication login default group tacacs local

aaa authorization exec default group tacacs if-authenticated

tacacs-server host key

ip http server

ip http authentication aaa

On ACS

Create user

Enable Shell (exec)

Privilege level = 15

Following link can help you configure this.

http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a0080178a51.shtml#tac

Hope this helps.

Regards

Rohit

pugs17211721
Level 1
Level 1
In response to rochopra

‎06-28-2007 11:35 AM

Thanks for the link. However I still am unable to get it to work.

When I log into my ACS server I can see the successful authentications. However I am still not able to access the CDM. It keeps re-prompting me to sign in, and then after 3 attemps its fail.

Here is a copy of a show run | inc aaa

NBOH-2940-001-IS#show run | inc aa

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default if-authenticated

ip http authentication aaa

0 Helpful

Premdeep Banga
Level 7
Level 7
In response to pugs17211721

‎06-29-2007 03:16 PM

Hi,

Actually, there is a difference as from where the authentication is picked from for HTTP authentication,

With HTTP v1 server, same method list is picked, that is used by VTY lines.

With HTTP v1.1 server, but before the integration of fix for bug CSCeb82510, the method list defined for console is checked.

After the fix of the above mentioned bug, we have some different sent of commands that we can use.

I would suggest you to give this a try,

aaa authentication login CONSOLEandHTTP tacacs+ local

aaa authorization exec CONSOLEandHTTP if-authenticated

!

ip http authentication aaa

!

line con 0

login authentication CONSOLEandHTTP

authorization exec CONSOLEandHTTP

For detail please refer,

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008069bdc5.shtml

Regards,

Prem

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents