Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Can Cisco Device Manager Support ACS Authentication?

Background:

My company has approximately 500+ devices all across the country (mainly 2801's, 2924's, 2950's, and 2960's) and approx 3 people that have a real idea of how to configure the devices, and 2 or 3 that have a general clue about how to do it. I am in the process of moving all of these devices to use ACS authentication for signing into the device. While I am doing this I am establishing a strong password for the secret password to provide as a backup.

Problem:

My supervisor would like the cisco device manager to be available to the people that don't have the in depth cli experience. However in my testing, it will only accept the strong password for its authentication, and does not try the ACS server for authentication. Is this possible?

3 REPLIES
Cisco Employee

Re: Can Cisco Device Manager Support ACS Authentication?

Hi

This is possible by using the following commands :

aaa new-model

aaa authentication login default group tacacs local

aaa authorization exec default group tacacs if-authenticated

tacacs-server host key

ip http server

ip http authentication aaa

On ACS

Create user

Enable Shell (exec)

Privilege level = 15

Following link can help you configure this.

http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a0080178a51.shtml#tac

Hope this helps.

Regards

Rohit

Community Member

Re: Can Cisco Device Manager Support ACS Authentication?

Thanks for the link. However I still am unable to get it to work.

When I log into my ACS server I can see the successful authentications. However I am still not able to access the CDM. It keeps re-prompting me to sign in, and then after 3 attemps its fail.

Here is a copy of a show run | inc aaa

NBOH-2940-001-IS#show run | inc aa

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default if-authenticated

ip http authentication aaa

Re: Can Cisco Device Manager Support ACS Authentication?

Hi,

Actually, there is a difference as from where the authentication is picked from for HTTP authentication,

With HTTP v1 server, same method list is picked, that is used by VTY lines.

With HTTP v1.1 server, but before the integration of fix for bug CSCeb82510, the method list defined for console is checked.

After the fix of the above mentioned bug, we have some different sent of commands that we can use.

I would suggest you to give this a try,

aaa authentication login CONSOLEandHTTP tacacs+ local

aaa authorization exec CONSOLEandHTTP if-authenticated

!

ip http authentication aaa

!

line con 0

login authentication CONSOLEandHTTP

authorization exec CONSOLEandHTTP

For detail please refer,

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008069bdc5.shtml

Regards,

Prem

155
Views
9
Helpful
3
Replies
CreatePlease to create content