Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Using AD credential for device management.

Hi ,

I trying to set the identity source to use Active Directory's reside credential as the method for authentication.

Connection between AD and ACS was establish and connected.

Problem statement:-

The moment i trying to telnet from remote site, i able to proceed on first state username-password authentication, but once come to enable password, it prompt me authentication failure even with the right password.

The error log for this case is "13029 Requested privilege level too high"

If i switch the identity source to local it won't have such problem.

Platform for these case is

- C6500 with IOS 12.2(33) SXJ1

- ACS 5.2.0.26

So, at ACS, i set the identity store at access policies > access_name > identity

For Device administration > shell profile in use setting the default privilege and maximum privelege to value 15. The name of sthe shell profiles is "full_privilege"

Below is my switch config snipet:-

aaa group server tacacs+ TAC_PLUS

server name AUTH

tacacs server AUTH

address ipv4 10.10.21.251

key xxxxxxxx

aaa authentication login TAC_PLUS group tacacs+ local

aaa authentication enable default group TAC_PLUS none

aaa authorization exec TAC_PLUS group tacacs+ if-authenticated

aaa authorization commands 15 TAC_PLUS group tacacs+ local

aaa authorization network TAC_PLUS group tacacs+ local

aaa accounting update periodic 1

aaa accounting exec TAC_PLUS start-stop group tacacs+

aaa accounting network TAC_PLUS start-stop group tacacs+

aaa accounting connection TAC_PLUS start-stop group tacacs+

please advice, thanks

Noel

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Using AD credential for device management.

Hello,

As you mentioned that it works fine for Internal ACS Users, can you check the Authorization Condition you have in order to return Privilege Level 15 for the users?

For example, if Internal Users ID Store works fine then the Authorization Condition might be pointing to an Internal ACS Attribute Condition like Identity Groups.

When changing to AD then the Identity Group rule might not be matched, therefore, getting to the Default Deny Access rule.

Please check the Authorization rules for the appropriate Access Service and confirm that a valid rule is created for AD users as well in order to return the appropriate privilege lever.

Hope this helps.

Regards.

4 REPLIES
Silver

Using AD credential for device management.

Hello,

As you mentioned that it works fine for Internal ACS Users, can you check the Authorization Condition you have in order to return Privilege Level 15 for the users?

For example, if Internal Users ID Store works fine then the Authorization Condition might be pointing to an Internal ACS Attribute Condition like Identity Groups.

When changing to AD then the Identity Group rule might not be matched, therefore, getting to the Default Deny Access rule.

Please check the Authorization rules for the appropriate Access Service and confirm that a valid rule is created for AD users as well in order to return the appropriate privilege lever.

Hope this helps.

Regards.

New Member

Using AD credential for device management.

Hi,

Sorry for late reply. I am staying at GMT+8 timezone, i guess there's a gap of time matter.

As you request, i attact the snapshot for you to refer.

On the switch the aaa config can found from above thread.

Million thanks  !!!!!

Noel

Using AD credential for device management.

Hi Noel, I have a similar problem as yours, I'm trying to fix with your comments but I have a doubt, could you please paste a print screen of your Access Policies profile named "Device Admin", I appreciate a lot your help.

Regards,

Juan Carlos

New Member

Using AD credential for device management.

Hi Mejia,

You reply is the right answer, i create another rule and lookup usisng AD external group for authentication.

Thanks for your advice

Noel

843
Views
0
Helpful
4
Replies