04-30-2012 12:26 PM - edited 03-12-2019 05:40 PM
I'm doing some testing with ACS server on my windows box and I can't seem to get a barebone radius authentication to work with ACS internal users. I tested the same configuration with TACACS and it works fine, so there's something missing or misconfigured in my setup.
I have a cisco 3550 switch that I want users to login using their ACS username/password.
SW1
username cisco password 0 cisco
username admin password 0 admin
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
radius-server host 172.16.1.115 auth-port 1645 acct-port 1646 key password
radius-server source-ports 1645-1646
radius-server key password
Eventually it uses my local username/password in which I'm able to get in, but not sure why it says it can't find the user account.
Here are the debugs from my Cisco switch and attached are the screenshots of my ACS server.
User Access Verification
Username:
2d18h: AAA: parse name=tty0 idb type=-1 tty=-1
2d18h: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
2d18h: AAA/MEMORY: create_user (0x17478B0) user='NULL' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
2d18h: AAA/AUTHEN/START (1772888944): port='tty0' list='' action=LOGIN service=LOGIN
2d18h: AAA/AUTHEN/START (1772888944): using "default" list
2d18h: AAA/AUTHEN/START (1772888944): Method=radius (rad
Username: userius)
2d18h: AAA/AUTHEN (1772888944): status = GETUSER
Username: user2
Password:
2d18h: AAA/AUTHEN/CONT (1772888944): continue_login (user='(undef)')
2d18h: AAA/AUTHEN (1772888944): status = GETUSER
2d18h: AAA/AUTHEN (1772888944): Method=radius (radius)
2d18h: AAA/AUTHEN (1772888944): status = GETPASS
2d18h: AAA/AUTHEN/CONT (1772888944): continue_login (user='user2')
2d18h: AAA/AUTHEN (1772888944): status = GETPASS
2d18h: AAA/AUTHEN (1772888944): Method=radius (radius)
% Authentication failed.
05-01-2012 03:36 AM
In ACS try sending following attributes as part of authorization for uses who can telnet/ssh to the router/switch.
cisco-avpair = "shell:priv-lvl=15"
Thanks
05-01-2012 05:44 AM
Is that a command that I have to run. I'm using the ACS that runs on my Windows 2003 server. Not sure where that is in the GUI
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide