Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
957
Views
0
Helpful
2
Replies

Cisco ACS can't find/authenticate internal user on 3550 switch

ejeangilles
Level 1
Level 1

‎04-30-2012 12:26 PM - edited ‎03-12-2019 05:40 PM

I'm doing some testing with ACS server on my windows box and I can't seem to get a barebone radius authentication to work with ACS internal users. I tested the same configuration with TACACS and it works fine, so there's something missing or misconfigured in my setup.

I have a cisco 3550 switch that I want users to login using their ACS username/password.

SW1

username cisco password 0 cisco

username admin password 0 admin

aaa new-model

aaa authentication login default group radius local

aaa authorization exec default group radius local

radius-server host 172.16.1.115 auth-port 1645 acct-port 1646 key password

radius-server source-ports 1645-1646

radius-server key password

Eventually it uses my local username/password in which I'm able to get in, but not sure why it says it can't find the user account.

Here are the debugs from my Cisco switch and attached are the screenshots of my ACS server.

User Access Verification

Username:
2d18h: AAA: parse name=tty0 idb type=-1 tty=-1
2d18h: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
2d18h: AAA/MEMORY: create_user (0x17478B0) user='NULL' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
2d18h: AAA/AUTHEN/START (1772888944): port='tty0' list='' action=LOGIN service=LOGIN
2d18h: AAA/AUTHEN/START (1772888944): using "default" list
2d18h: AAA/AUTHEN/START (1772888944): Method=radius (rad
Username: userius)
2d18h: AAA/AUTHEN (1772888944): status = GETUSER
Username: user2
Password:
2d18h: AAA/AUTHEN/CONT (1772888944): continue_login (user='(undef)')
2d18h: AAA/AUTHEN (1772888944): status = GETUSER
2d18h: AAA/AUTHEN (1772888944): Method=radius (radius)
2d18h: AAA/AUTHEN (1772888944): status = GETPASS

2d18h: AAA/AUTHEN/CONT (1772888944): continue_login (user='user2')
2d18h: AAA/AUTHEN (1772888944): status = GETPASS
2d18h: AAA/AUTHEN (1772888944): Method=radius (radius)
% Authentication failed.

Labels:
Preview file
291 KB
0 Helpful
2 Replies 2

shoaibkhan
Level 1
Level 1

‎05-01-2012 03:36 AM

In ACS try sending following attributes as part of authorization for uses who can telnet/ssh to the router/switch.

cisco-avpair = "shell:priv-lvl=15"

Thanks

0 Helpful

ejeangilles
Level 1
Level 1
In response to shoaibkhan

‎05-01-2012 05:44 AM

Is that a command that I have to run. I'm using the ACS that runs on my Windows 2003 server. Not sure where that is in the GUI

0 Helpful
Customers Also Viewed These Support Documents