MARS AAA Authentication with Cisco ACS not working

Answered Question
Aug 11th, 2010
User Badges:

I have tried to integrate CS-MARS with Cisco ACS for AAA Authentication as per the document.


http://www.cisco.com/web/services/news/ts_newsletter/tech/chalktalk/archives/200711.html


I had added my two ACS Appliances to the CS-MARS and I when I am doing a "test connectivity" and using ACS usernames I am successuflly able to authenticate (as shown in attached picture).


Once I change to AAA Server mode and logout, I am unable to login using AAA (ACS usernames). Don't know what is the problem.


Can someone help me.


Thanks in advance.

Correct Answer by mikecrowe4ICS_2 about 6 years 9 months ago

Your screenshots show that testing authentication (in general) works.  Did you configure local usernames on the CS-MARS box that match the account names in ACS?


> If authentication is set to local, setup user accounts with names and passwords that match the credentials in ACS.  For example, setup an account named "test", as it appears that account is in your ACS server.


> If authentication is already set to AAA, setup users that match (no password necessary).


Also, make sure that the account has the proper permissions in ACS for the MARS device.  Have you done all of this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
mikecrowe4ICS_2 Wed, 08/11/2010 - 17:59
User Badges:

Your screenshots show that testing authentication (in general) works.  Did you configure local usernames on the CS-MARS box that match the account names in ACS?


> If authentication is set to local, setup user accounts with names and passwords that match the credentials in ACS.  For example, setup an account named "test", as it appears that account is in your ACS server.


> If authentication is already set to AAA, setup users that match (no password necessary).


Also, make sure that the account has the proper permissions in ACS for the MARS device.  Have you done all of this?

jennyjohn Thu, 08/12/2010 - 02:37
User Badges:

Hi Michael,


      Thanks, it is working now.


Since I had already set to AAA mode. I had to add only the usernames.


But this kinda beats the purpose of using AAA authentication, since now I have to add all the usernames in CS-MARS also. If I have a new user, I will have to add in the Cisco ACS as well as the CS-MARS.

mikecrowe4ICS_2 Thu, 08/12/2010 - 18:19
User Badges:

Ok, good to know it's working.


You're absolutely right about the duplicate effort of creating the accounts in MARS.  However, it potentially has an upside for some situations (like mine).  If an admin has control of the MARS server and accounts, but not the accounts in the ACS server, it's a bonus.  No one can get access to the MARS server without acknowledgment from the MARS admin.


Considering the kind of information maintained in MARS, that could be a Good Thing™.

Actions

This Discussion