Solved: Using AD credential for device management.

yong khang NG · ‎01-11-2012

Hi ,

I trying to set the identity source to use Active Directory's reside credential as the method for authentication.

Connection between AD and ACS was establish and connected.

Problem statement:-

The moment i trying to telnet from remote site, i able to proceed on first state username-password authentication, but once come to enable password, it prompt me authentication failure even with the right password.

The error log for this case is "13029 Requested privilege level too high"

If i switch the identity source to local it won't have such problem.

Platform for these case is

- C6500 with IOS 12.2(33) SXJ1

- ACS 5.2.0.26

So, at ACS, i set the identity store at access policies > access_name > identity

For Device administration > shell profile in use setting the default privilege and maximum privelege to value 15. The name of sthe shell profiles is "full_privilege"

Below is my switch config snipet:-

aaa group server tacacs+ TAC_PLUS

server name AUTH

tacacs server AUTH

address ipv4 10.10.21.251

key xxxxxxxx

aaa authentication login TAC_PLUS group tacacs+ local

aaa authentication enable default group TAC_PLUS none

aaa authorization exec TAC_PLUS group tacacs+ if-authenticated

aaa authorization commands 15 TAC_PLUS group tacacs+ local

aaa authorization network TAC_PLUS group tacacs+ local

aaa accounting update periodic 1

aaa accounting exec TAC_PLUS start-stop group tacacs+

aaa accounting network TAC_PLUS start-stop group tacacs+

aaa accounting connection TAC_PLUS start-stop group tacacs+

please advice, thanks

Noel

camejia · ‎01-11-2012

Hello,

As you mentioned that it works fine for Internal ACS Users, can you check the Authorization Condition you have in order to return Privilege Level 15 for the users?

For example, if Internal Users ID Store works fine then the Authorization Condition might be pointing to an Internal ACS Attribute Condition like Identity Groups.

When changing to AD then the Identity Group rule might not be matched, therefore, getting to the Default Deny Access rule.

Please check the Authorization rules for the appropriate Access Service and confirm that a valid rule is created for AD users as well in order to return the appropriate privilege lever.

Hope this helps.

Regards.

View solution in original post

camejia · ‎01-11-2012

Hello,

As you mentioned that it works fine for Internal ACS Users, can you check the Authorization Condition you have in order to return Privilege Level 15 for the users?

For example, if Internal Users ID Store works fine then the Authorization Condition might be pointing to an Internal ACS Attribute Condition like Identity Groups.

When changing to AD then the Identity Group rule might not be matched, therefore, getting to the Default Deny Access rule.

Please check the Authorization rules for the appropriate Access Service and confirm that a valid rule is created for AD users as well in order to return the appropriate privilege lever.

Hope this helps.

Regards.

yong khang NG · ‎01-12-2012

Hi,

Sorry for late reply. I am staying at GMT+8 timezone, i guess there's a gap of time matter.

As you request, i attact the snapshot for you to refer.

On the switch the aaa config can found from above thread.

Million thanks !!!!!

Noel

Juan Carlos Arias Perez · ‎01-16-2012

Hi Noel, I have a similar problem as yours, I'm trying to fix with your comments but I have a doubt, could you please paste a print screen of your Access Policies profile named "Device Admin", I appreciate a lot your help.

Regards,

Juan Carlos

yong khang NG · ‎01-12-2012

Hi Mejia,

You reply is the right answer, i create another rule and lookup usisng AD external group for authentication.

Thanks for your advice

Noel