Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ACS 5.4 setup

  I am setting up Cisco ACS 5.4  for my org. The way I have it set up, ACS passes the authentication off to a RADIUS server. The problem is that it does this for both the user and the enable password on each account. Is there a way to configure ACS to look locally in its internal identity stores for the enable password but to keep passing on the user portion to RADIUS?

  • AAA Identity and NAC
Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Cisco ACS 5.4 setup

Hi Jessica,

I went through your query and it seems you would like login authentication to be checked against some other external radius server (proxy radius server) and enabled to be checked against the locally configured enable password on the ACS.

I don't think if this cannot be done with radius protocol however with tacacs we can use service attribute and can define in the identity > rule based selection that if service matches login point it to AD database or if matches enable point it to internal database. I've attached a screen shot of the same for your reference. The identity source could be anything from the configured databases.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
4 REPLIES
Bronze

Cisco ACS 5.4 setup

ACS maintains different internal identity stores to maintain  user and host records. For each identity store, you can define identity  attributes associated with that particular store for which values are  defined while creating the user or host records. You can define these  identity attributes as part of identity dictionaries under the System  Administration section of the ACS application (System Administration  > Configuration > Dictionaries > Identity).

Each internal user record includes  a password, and you can define a second password as a TACACS+ enable  password. You can configure the password stored within the internal user  identity store to expire after a particular time period and thus force  users to change their own passwords periodically. Users can change their  passwords over the RADIUS or TACACS+ protocols or use the UCP web  service. Passwords must conform to the password complexity criteria that  you define in ACS.

Please check below  which may be helpful for you.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1123501

Cisco Employee

Cisco ACS 5.4 setup

Hi Jessica,

I went through your query and it seems you would like login authentication to be checked against some other external radius server (proxy radius server) and enabled to be checked against the locally configured enable password on the ACS.

I don't think if this cannot be done with radius protocol however with tacacs we can use service attribute and can define in the identity > rule based selection that if service matches login point it to AD database or if matches enable point it to internal database. I've attached a screen shot of the same for your reference. The identity source could be anything from the configured databases.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Cisco ACS 5.4 setup

Excellent! I tried this and it worked. It was exactly what I was trying to figure out. Thanks!

Cisco Employee

Cisco ACS 5.4 setup

glad we could answer. I'd appreciate if you mark this thread resolved.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
509
Views
0
Helpful
4
Replies
This widget could not be displayed.