Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Unauthorized device logging in via Cisco Secure ACS 3.2

We have the Cisco Secure ACS v 3.2. There is a devices that we recently discovered is not added into the network configuration on the ACS. This device running IOS 12.2(29) does have all of the correct tacacs settings that should allow it to authenticate via Tacacs.

So basically, the ACS is allowing users to use this device to login, even though it's not in the Network Config.

When we look at the Logged-in Users report, it show the host name as "Tacacs+ Default". We aren't sure what that is supposed to mean, and why it's allowing it.

Thank You for your time,

Andrew

3 REPLIES

Re: Unauthorized device logging in via Cisco Secure ACS 3.2

Andrew,

Make sure that you not using any Wildcards inplace to IP address in network configuration. Eg using 192.168.*.*

This will open tacacs request from whole network 192.168

Also check the passed attempts and check the NAS IP address from the where the request is coming. Search for that IP in network configuration and see if that IP belong to that switch in question. L3 switch can have multiple ip address.

If that IP belong to that swtich , then you need to take that out from network configuration.

Regards,

~JG

Do rate helpful posts

New Member

Re: Unauthorized device logging in via Cisco Secure ACS 3.2

I went through and checked for both cases. But still haven't found out the reason.

One thing we did notice, the tacacs server key on this switch is different than the keys we typically use. It's possible someone could have put this key in there a long time ago, and that person probably doesn't work here anymore. Is there some magicical cisco ACS tacacs server key that will allow it to authenticate no matter what?

Thanks.

Re: Unauthorized device logging in via Cisco Secure ACS 3.2

Sounds strange...No there is no magical key for ACS or any other device. If the key in acs is different to key in switch then it should not authenticate.

Without AAA client IP and secret key ACS will not let that client to communicate. There is surely something misconfiguration.

Can you login to that switch and get these debugs. debug tacacs and debug aaa authentication.

Regards,

~JG

132
Views
0
Helpful
3
Replies
CreatePlease login to create content