No users can get authenticated-ACS SE 4.1

Answered Question
Sep 1st, 2008

Hello All,

I am having a heck of time getting a new ACS SE 4.1 configured in a new network. I have one 3560 now that I'm testing first but I can't get authenicated. I have the user account/group set up, the group is matched in my AAA statements although I saw some errors about the group wasn't configured. I even created two different groups and tried different names but still, no luck. I'm just using the internal DB, nothing special. I've read the administration guide but it hasn't helped much. When I turn on debugging, I don't see much activity, only about the group being wrong but I don't understand how that's possible. I'm running short on time, I would really appreciate some help. Thanks in advance!

Correct Answer by Premdeep Banga about 8 years 5 months ago

When we do EXEC authorization, we need to give the exec privileges from ACS/authorization server to the user i.e.,

Under user/group settings look for "Shell(exec)" check this. this should allow you in. If you want that you should also get some privileges directly as you log in, then also check "Privilege Level" and type the value in the box, 0-15.

I recommend referring to,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

If this is your first time configuring authorization.

Regards,

Prem

Please rate if this helps!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Premdeep Banga Mon, 09/01/2008 - 11:15

Lets start by taking a look at your configuration on the switch (complete configuration).

Also, make sure that correct IP address of ACS SE is associated with the ACS SE hostname, and is being used on ACS SE.

"deliverance1" is the default ACS SE name(hostname).

Sometimes what happens is, even if we have ACS SE connected to Network during initial configuration. And we change the name of the ACS SE from "deliverance1" to something that we want. After changes has been made, on ACS SE, it comes back, and shows the ip 169.x.x.x associated with the new hostname.

NOTE: I am considering that during initial configuration ACS SE was connected to network, using bottom NIC. If not, then this is supposed to happen.

In order to correct this issue, follow following steps:

[1] On ACS hardware/appliance go to,

Reports and Activity > Appliance Status Page >

From "NIC Configuration", copy the IP address of the ACS SE.

Interface Configuration > Advanced Options > check "Distributed System Settings" > Submit.

Network Configuration > under "AAA Servers" > Search > type the IP address of the ACS hardware/appliance > Search.

Note down the "Name" against the Ip address of the ACS SE.

Now go to, Network Configuration > under "Proxy Distribution Table" > (Default) > make sure that the name that appeared against the Ip address of the ACS Hardware/appliance is in "Forward To" Column, If it is not, move it , and move all other entries under "AAA Servers" column and press "Submit + Restart"

And delete the entry from the AAA Server section, that is associated with IP address 169.x.x.x

[2] Now, if you do not want the name that is shown in the Proxy Distribution Table, and want the one that is there in the section,

System configuration > Appliance Configuration... Hostname section, associated with the correct IP address. Then do this,

Establish Serial Console connection to ACS SE,

Issue the command "set hostname " , at this point system should automatically start all the services. If it does not, then

we have not configured ACS SE with the bottom NIC. Once set hostname is successful, then reboot the ACS SE by command, "reboot".

[3] Once ACS SE is backup, go to, Network Configuration > under "Proxy Distribution Table" > (Default) > And make sure that the new name is in "Forward To" Column > Submit + Restart.

Now, the correct IP address will be associated with the correct hostname.

Regards,

Prem

Please rate if it helps!

gng4life Mon, 09/01/2008 - 12:56

Thanks Prem,

I will try that as soon as I get back to the office, which is about 7 more hours or so. I did see the "deliverence1" in the hostname page along with the new name I gave it. I was plugged into the the bottom nic. Also, I applied the "SetIP" patch and "4.1.1.23.5" patch. For the switch config, it's fairly basic:

aaa new-model

aaa authentication login default local enable

aaa authentication login default group default local

aaa authentication login default group default local

aaa authorization console

aaa authorization exec default group default local

aaa authorization commands 1 default group default local

aaa authorization commands 15 default group default local

aaa accounting exec default start-stop group default

aaa accounting commands 1 default stop-only group default

aaa accounting commands 15 default stop-only group default

and the key, IP, etc. are there:

tacacs-server key XXXXXXXXX

tacacs-server host 172.X.X.X

tacacs-server host 172.X.X.X

ip tacacs source-interface f0/46

So you can see my frustration, this seems so simple but I'm missing something small. I will work on the hostname and reply back to this post.

Thanks for your time and I have already rated the post.

Premdeep Banga Mon, 09/01/2008 - 13:04

I understand :)

But this is what needs to be there,

no aaa authorization console (So that we can atleast have console as a back door)

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default stop-only group tacacs+

aaa accounting commands 15 default stop-only group tacacs+

- My suggestion, do not go ahead and apply all the commands, you can lock out yourself from the device, as you are playing with command authorization.

Only have command,

aaa new-model

aaa authentication login default group tacacs+ local

tacacs-server key XXXXXXXXX

tacacs-server host 172.X.X.X

tacacs-server host 172.X.X.X

ip tacacs source-interface f0/46

- First test authentication using command,

test aaa group tacacs+ legacy

- Make sure that result is +ve, then go for EXEC authorization and configure your ACS accordingly, and then go for command authorization.

Your previous AAA commands were not checking the Tacacs+ server for authentication/authorization.

Regards,

Prem

Please rate if this helps!

gng4life Tue, 09/02/2008 - 00:49

Okay, making progress. I made the changes to the name and Proxy Distro/Forwarding, then the above commands, up to authenication. Success, I could login fine and use the enable password that is set on the account in ACS. Everything is great to that point. Now, when I go to the next line, authorization exec..., I can no longer login to the switch, I get "Password:

% Authorization failed." message. And in the ACS log, I see this:

9/2/2008 9:08:08 Author failed test3 Tacacs+ 172.X.X.X (Default) Service denied service=shell cmd*

As soon as I take out the authorization command, it works again, user and privelege mode both. I am not sure why the authorization commands don't work and I did try a few variations of them but no luck. The "test" command was very helpful too. Thanks for all your help and look forward to hearing from you soon.

Correct Answer
Premdeep Banga Tue, 09/02/2008 - 03:39

When we do EXEC authorization, we need to give the exec privileges from ACS/authorization server to the user i.e.,

Under user/group settings look for "Shell(exec)" check this. this should allow you in. If you want that you should also get some privileges directly as you log in, then also check "Privilege Level" and type the value in the box, 0-15.

I recommend referring to,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

If this is your first time configuring authorization.

Regards,

Prem

Please rate if this helps!

gng4life Tue, 09/02/2008 - 13:55

Hello there,

Thanks again for the information. Right, the exec does come from the ACS setup, but when I kept looking over it, the individual permissions take over the group permissions and that was causing the problem. I finished that up and got replication working and it's all looking great, Thanks So Much!

Thanks for all the posts and time, I have rated all of them and checked this as solved. Great job!

Actions

This Discussion