Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ACS v5.3 Identity selection for authentication

I configured before ACS v4.2 to authenticate network devices using internal users at first, and if the user is not found use AD list users.  But with v5.3 I have some problems doing this, on identity policies I use rule based result selection option, I configured 2 polices for Identity source, one for Internal Users and other policy for AD user, but it only works with the first policy, internal users or AD, but works only for the first policy identity.

Any idea how to do that, if the user is not found on first policy, continue to the next policy.

Thanks,

Juan Carlos

ACS1.jpg

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

ACS v5.3 Identity selection for authentication

Juan Carlos,

Under the Identity Store Sequence settings can you Uncheck the "If internal user/host not found or disabled then exit sequence and treat as "User Not Found"?

Please test again with the AD user and share the results. Please share a screenshot of the Identity Settings for Device Administration.

If the issue persists share as well the ACS Error Message Details from the ACS Monitoring and Reports.

If this has been helpful do not forget to rate

Regards.

7 REPLIES
Silver

Re: ACS v5.3 Identity selection for authentication

Hello Juan Carlos,

The Authentication will always hit the first rule as the conditions are exactly the same for both rules, so the request will always hit the first configured Rule.

Instead of configuring 2 Rules pointing to 2 different Databases you need to create 1 Rule using the Identity Store Sequence feature where you will define first Internal Users and then AD1.

Go under Users and Identity Stores > Identity Store Sequence > Click Password Based > Move the Internal Users and AD1 to the right box.

After completing the above, delete one of the Rules you created under the Access Services > Device Admin > Identity and keep only one of the rules. For the Identity Source Select the Identity Store Sequence you created above instead of selecting AD1 OR Internal Users.

NOTE: The Identity Store Sequence will include both databases.

The above configuration should accomplish the scenario you need with the ACS checking the Internal Users first and then AD1.

Please mark the post as answered if you find the above useful for your scenario after testing. If you have any question let us know.

Regards.

ACS v5.3 Identity selection for authentication

Hi Carlos,

Thanks for your quick answer, I configured as you said but I got an strange behaviour, I try to authenticate using an internal user and it says "Authorization failed", but if I go to TACACS authentication reports, it says that authentication was passed.  And if I try using a user from AD, it also says "Authorization failed", and the reports says that the user was not found, it's was looking for it on internal user identity store.

I was wondering, do I have to restart some service for this change??

Any idea will be very helpful.

Thanks,

Juan Carlos

Silver

ACS v5.3 Identity selection for authentication

Hello Juan Carlos,

Probably you have Authorization EXEC configuration on the IOS device or ASA. You need to define a condition under Device Admin > Authorization in order to send Privilege level 15 after successfully authenticating the user.

In that case you first need to create the Shell Profile under Policy Elements > Device Administration Shell Profiles > Click Create > Assign a name and select the Common Tasks Tab > Set both privilege options to static and value 15 and Submit.

You need to bind that Shell Profile as a result of the authorization condition for Device Admin Access Service.

You can use AD1: External Groups for one rule and ACS Identity Groups for the othe Rule. In this case (for Authorization) you are going to need two rules.

NOTE: Also, the Identity Store Sequence needs a change. Under the box where you selected Internal Users and AD1 there are two other boxes for "Additional Attribute Retrieval". You might want to move both Internal Users and AD1 to the right box as well.

I do not have an ACS 5.x with me right now. Hope the above is clear enough for you. If not let us know.

Regards.

ACS v5.3 Identity selection for authentication

Hello Carlos, I appreciate your time and your comments, I omit the author EXEC on IOS device and now it works for internal users, but something else is missing that I can't authenticate using AD users, this is my config:

aaa group server tacacs+ TACACS_PLUS

  server 192.168.240.28

aaa authentication login default group TACACS_PLUS

aaa authorization commands 15 TACACS_PLUS group tacacs+

aaa authorization network default group TACACS_PLUS if-authenticated

aaa accounting send stop-record authentication failure

aaa accounting update newinfo

aaa accounting exec default start-stop group TACACS_PLUS

aaa accounting network default start-stop group TACACS_PLUS

aaa accounting connection default start-stop group TACACS_PLUS

tacacs-server host 192.168.240.28 port 49 key 7 104D0617040717180F05

tacacs-server directed-request

ACS v5.3 Identity selection for authentication

I enabled a debug and when connecting with an AD user, I received authentication failure:

AAA/AUTHEN/START (3006091279): port='tty1' list='' action=LOGIN service=LOGIN

AAA/AUTHEN/START (3006091279): using "default" list

AAA/AUTHEN/START (3006091279): Method=TACACS_PLUS (tacacs+)

TAC+: send AUTHEN/START packet ver=192 id=3006091279

TAC+: ver=192 id=3006091279 received AUTHEN status = GETUSER

AAA/AUTHEN (3006091279): status = GETUSER

AAA/AUTHEN/CONT (3006091279): continue_login (user='(undef)')

AAA/AUTHEN (3006091279): status = GETUSER

AAA/AUTHEN (3006091279): Method=TACACS_PLUS (tacacs+)

TAC+: send AUTHEN/CONT packet id=3006091279

TAC+: ver=192 id=3006091279 received AUTHEN status = GETPASS

AAA/AUTHEN (3006091279): status = GETPASS

AAA/AUTHEN/CONT (3006091279): continue_login (user='juancarlos.arias')

AAA/AUTHEN (3006091279): status = GETPASS

AAA/AUTHEN (3006091279): Method=TACACS_PLUS (tacacs+)

TAC+: send AUTHEN/CONT packet id=3006091279

TAC+: ver=192 id=3006091279 received AUTHEN status = FAIL

AAA/AUTHEN (3006091279): status = FAIL

AAA/AUTHEN/ABORT: (3006091279) because Unknown.

TAC+: send abort reason=Unknown

AAA/MEMORY: free_user_quiet (0x1962CB0) user='juancarlos.arias' ruser='NULL' port='tty1' rem_addr='192.168.240.170' authen_type=1 service=1 priv=15

Thanks for your time,

Juan Carlos

Silver

ACS v5.3 Identity selection for authentication

Juan Carlos,

Under the Identity Store Sequence settings can you Uncheck the "If internal user/host not found or disabled then exit sequence and treat as "User Not Found"?

Please test again with the AD user and share the results. Please share a screenshot of the Identity Settings for Device Administration.

If the issue persists share as well the ACS Error Message Details from the ACS Monitoring and Reports.

If this has been helpful do not forget to rate

Regards.

ACS v5.3 Identity selection for authentication

Hello Carlos,

That was the solution, I enabled that option understanding another thing, I was confused.  I appreciate all your time and comments helping me fixing this, you help me a lot.

Below is the screenshot that you require.

Thanks again,

Juan Carlos

678
Views
0
Helpful
7
Replies
CreatePlease login to create content