ACS not authorising Security Manager devices

Unanswered Question
Aug 6th, 2009

Hi I have a setup ACS 4.1 CS-Manager 3.2.2

I have intergrated the CS-Manager into ACS with no problems.

However when I try to add devices into the CS-Manager I get the message "The Device is not in the Cisco Secure ACS"

I have one wildcard entry encompassing all devices and the CS-Manager (TACACS+ (cisco IOS))

I am wondering if CS-Manager is not liking the wildcards.

Unfortunatley as we have 500 or so production devices already using this entry I am not in a position to remove it to test my theory at present.

Any one know if Wildcards are supported for authorising CS-Manager devices?

Regards

Colin

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
colin.lynch Thu, 08/06/2009 - 08:01

Common Services says its Authorised by ACS, but Security Manager isn't convinced.

koeppend Wed, 08/12/2009 - 22:03

Colin

Assumption: you have CSM's common services integrated correctly into ACS, first with a admin account in acs with full rights and second with the system identity user and pass in the ACS server with full rights as a user (not admin portal) and during the setup of AAA in CS you used the [tick box] to push out the authorization categories from CS into ACS.

Assumption: you have a super admin group in ACS setup that has full rights to CSM authorization categories that was pushed into ACS from Common Services when you first setup AAA in CS. And you have setup a user that is part of that the ACS super admin group.

Three things to check.

1. Under ACS, click the 'Share Profile Components' buttom, check that Common services has pushed out the Authorization categories into ACS, you should see CSM and auto update modules. Drill down into the CSM and check to see which authorization category gives the most access, should be 'System Administrator', make sure that all the tick boxes in this profile is all ticked with no gray or shaded boxes.

2. The user account your logging into CSM is part of the ACS super user group that you created. Check the ACS super user group is correctly matching the CS-manager authorization categories. i.e make sure that you have matched the group that you checked in my previous point, 'System Administrator' or what ever group you created that gave full rights.

3. Finally, you must have the device listed in your network device groups in ACS. Remembering that CSM will check against the ACS's NDG lists and WILL also matches against a FQDN, so if you added domain information into a device in CSM then the device listed in ACS will need to be the FQDN, if its not, then remove the domain name info from CSM and test. (EDIT: This might have been fixed in 3.2.2 not 100% sure but it broke my network in 3.1). I'm going to take a wild stab in the dark and say that the wild card might be failing you because it doesnt match between CSM host name and domain name sections to the ACS host name.

Dale

Oh one final test you can try, log into the end device manually using telnet or ssh using the system identity user and pass. Just double check that the account gets access to the device via tacacs and that you can perform enable access type functions using this account.

colin.lynch Thu, 08/13/2009 - 06:01

Hi Dale

Thanks for the reply

I am fairly happy CSM and ACS are correctly intergrated and your first two points above are certainly configured.

I feel the issue lies with your 3rd point.

As the client uses a wildcard mask to cover there hundred or so devices, I cannot add more granular devices within the same range using the same auth method (TACACS+ Cisco IOS) Common services says they are authorized but CSM says not.

I have added all firewall devices into CSM in non ACS mode, but when I switch back to ACS mode they are no longer listed (As I guess are unauthorised)

Regards

Colin

Actions

This Discussion