Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ACS5.5 TACACS enable question

I'm moving our ACS from 4.2.1 to 5.5 and I'm not having problems with most of it.  In fact, I like most of the changes in ACS 5.5.  One thing I'm stumped on (for now).

In ACS 4.2.x, we can create a user, have that user authenticate with AD, LDAP, internal, whatever.  We can do that in 5.5 as well.  The difference is that on ACS 5.5, if the user is configured to authenticate with other than an internally configured password, the "enable password" boxes are greyed out.  Seems the system forces the user to use the same password for the enable password on a switch/router/whatever.

Is there a way in ACS 5.5 to manually enter a unique enable password for a user, yet allow that user to authenticate via an external source?  As in ACS 4.2?  It could be I just haven't found the workaround yet.

Hope that's clear.

 

 

7 REPLIES
Community Member

Oh yeah.  I have the most

Oh yeah.  I have the most recent patch installed, 5.5.0.46.2

Cisco Employee

Hi Wbauer,You may point user

Hi Wbauer,

You may point user login authentication to external identity store like AD, LDAP etc and enable authentication to locally configured enable password on ACS. I had answered this query before here

Hope this helps.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~Jatin Katyal
Community Member

Thanks for the response, but

Thanks for the response, but I'm afraid I don't quite understand your solution.  I think some of the grammar in the response is tripping me up.

The user's ACS enable password is disabled for entry if the user is configured to authenticate with an external source, so where exactly is the enable password defined on ACS?  The screenshot and explanation in the solution doesn't make that at all clear to me.

Cisco Employee

The user should be present in

The user should be present in both the databases (ACS internal and Active directory). You need to select the internal database while creating a user. The login password could be anything because it's not gonna check. 

User login: XXXX

Password: XXXX -----> This password will be checked against the external identity store like AD.

>enable

password: XXXX  ----> This password with be checked against ACS internal database.

In those screen shots you will see an option to select the identity source.

hope this adds little more clarification.

Regards,

Jatin Katyal

*Do rate helpful posts*

 

~Jatin Katyal
Community Member

I understand all of that, but

I understand all of that, but as I've said, if I select anything other than "Internal Users" for the password type, the enable password boxes are disabled.  Unable to enter anything into them at all.

The only way I can enter a password into those fields is to the the password type to "Internal Users".

The source of my consternation is the enable password fields are disabled with all external choices for password type in 5.5.

Cisco Employee

that is correct... enable

that is correct... enable password fields are disabled with all external choices for password type in ACS 5.x

Regards,

Jatin Katyal

*Do rate helpful posts*

~Jatin Katyal
Community Member

But above you said to enter

But above you said to enter the enable password, even if we select AD for the password.  The two statements don't resolve.

Are you saying to create the user as Internal Only, enter an enable password, then save it.

Then in a second step change the user auth to an external mechanism and the enable password will remain active, even though disabled?

If so, that's stated no where in the solutions provided.

57
Views
0
Helpful
7
Replies
CreatePlease to create content