06-28-2007 10:52 AM - edited 03-10-2019 03:14 PM
Background:
My company has approximately 500+ devices all across the country (mainly 2801's, 2924's, 2950's, and 2960's) and approx 3 people that have a real idea of how to configure the devices, and 2 or 3 that have a general clue about how to do it. I am in the process of moving all of these devices to use ACS authentication for signing into the device. While I am doing this I am establishing a strong password for the secret password to provide as a backup.
Problem:
My supervisor would like the cisco device manager to be available to the people that don't have the in depth cli experience. However in my testing, it will only accept the strong password for its authentication, and does not try the ACS server for authentication. Is this possible?
06-28-2007 11:07 AM
Hi
This is possible by using the following commands :
aaa new-model
aaa authentication login default group tacacs local
aaa authorization exec default group tacacs if-authenticated
tacacs-server host
ip http server
ip http authentication aaa
On ACS
Create user
Enable Shell (exec)
Privilege level = 15
Following link can help you configure this.
http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a0080178a51.shtml#tac
Hope this helps.
Regards
Rohit
06-28-2007 11:35 AM
Thanks for the link. However I still am unable to get it to work.
When I log into my ACS server I can see the successful authentications. However I am still not able to access the CDM. It keeps re-prompting me to sign in, and then after 3 attemps its fail.
Here is a copy of a show run | inc aaa
NBOH-2940-001-IS#show run | inc aa
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default if-authenticated
ip http authentication aaa
06-29-2007 03:16 PM
Hi,
Actually, there is a difference as from where the authentication is picked from for HTTP authentication,
With HTTP v1 server, same method list is picked, that is used by VTY lines.
With HTTP v1.1 server, but before the integration of fix for bug CSCeb82510, the method list defined for console is checked.
After the fix of the above mentioned bug, we have some different sent of commands that we can use.
I would suggest you to give this a try,
aaa authentication login CONSOLEandHTTP tacacs+ local
aaa authorization exec CONSOLEandHTTP if-authenticated
!
ip http authentication aaa
!
line con 0
login authentication CONSOLEandHTTP
authorization exec CONSOLEandHTTP
For detail please refer,
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008069bdc5.shtml
Regards,
Prem
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: