cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5762
Views
79
Helpful
44
Replies

what is the use of status field in ACS 5.3

kerim mohammed
Level 3
Level 3

                   users whose status is manually disabled don not have difficulty in authenticating and access managing nework devices. that makes me wonder what is the difference between status enabled and disabled?

Thanks,

Kerim

3 Accepted Solutions

Accepted Solutions

Kerim,

I just can't get Radius work the way it used to in acs4.2. it is as if  RADIUS is dedicated to default network access as opposed to deault  network admin.

You are correct, the default network access template is for radius based authentication, you can not assign a shell profile since that is for tacacs.. When you create a new access-service it either uses a tacacs or radius template.

even when i let RADIUS being used to default netowrk  access, i was not able to associate profile-shell that allows Priv-level  15.

Make sure that your authorization profile has the right cisco-av-pair assigned (shell:priv-lvl=15).

in acs 4.2 if you are in admin group u just see the switch # prompt  but in ACS5.3 if you use RADIUS you will be in switch> prompt.

If you are passing the attribute above make sure that the command "aaa authoration exec default group radius" is configured

how  do i go about solving this? the other problem I am facing is, when my  two acs instances are standalone, they work fine but as soon as i make  one of them secondary, the secondary can't authenticate against RSA  server it just authenticates only local users. whay is that so? i  believe if we can solve this am ready to go into production with 5.3.

I can not think of why this is the case right off the top of my head. Your best bet for this issue is to open a tac case to have them setup a webex and take a look. I am sure it is something simple, but webex is the fastest method because of all the different pieces that it takes to make this work.

thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

Hi Mohammed,

ACS 5 does not have the feature of IP pools. Logically its always good to setup pools locally on vpn server and if you want user to pick ip from specific local pool you can configure acs to push that attribute.

On ACS Go to > Policy Elements  -> Network Access ->   Authorization Profiles -> Create ->
Name of the Policy ->Dictionary Type: Radius-Cisco VPN 3000/ASA/PIX7.x

Attribute Type : CVPN3000/ASA/PIX7.x-Group-Based-Address-Pools
Attribute Type: String
Attribute Value : Static MYPOOL (Name of the Pool which is defined on the ASA)

Access Policies ->Default Network Access -> Authorization ->  Create -> Under result section call the
Authorization profile.


Hope that helps!

Regards,
~JG

DO rate helpful posts

View solution in original post

Hi Kerim,

Cisco avpair is used for cisco devices only. For other 3rd party devices, separate attribute is required to be pushed by radius server.

You have to add these attributes are defined under ACS 5 GUI >System Administration => Configuration =>Dictionaries =>Protocols => RADIUS => RADIUS VSA

Then in Authorization Profiles under Policy Elements =>Authorizations=>Network access=> Authorization profiles, we need to call it.

Here is the VSA for netscreen.


Name=Netscreen

IETF Code=3224

VSA 1=NS-Admin-Privilege

VSA 2=NS-Admin-Vsys-Name

VSA 3=NS-User-Group

VSA 4=NS-Primary-DNS-Server

VSA 5=NS-Secondary-DNS-Server

VSA 6=NS-Primary-WINS-Server

VSA 7=NS-Secondary-WINS-Server

Regards,

~JG

Do rate helpful posts

View solution in original post

44 Replies 44

Tarik Admani
VIP Alumni
VIP Alumni

Kerim,

I wanted to know how you are authenticating the clients. If you look at the report does it point to the internal database?

Thanks,

Tarik Admani
*Please rate helpful posts*

Hi Tarik,

I see what you mean. we are using sequential identity datastore. at the top of the sequence is RSA server followed by internal users. so if user is not found in RSA server fails to internal DB. for users on internal DB, the status field matters! for users on RSA server, the status field don't matter.

Tarik,

i attached screenshot of reports. jut fyi.. and thanks as usual.

That is correct, are you testing with kerimtest? Because that looks like it is passing and failing, but I can see the timestamp.

Tarik Admani
*Please rate helpful posts*

yes,  that is my internal user test account. things seem to be going fine. am in the process of installing secondary instance. i think am going to need separate license. is that right?

Yes you will need a seperate license to join this ACS to the primary ACS.

Tarik Admani
*Please rate helpful posts*

                   hi Tarik,

i installed the secondary ACS server. i truied to register this to the Primary. i gave the IP Address(DNS not yet configured) and acsadmin password. but the registeration timesout saying either wrong IP address or wrong username and password. fyi, we allowed only TCP port 2638. we didn't open other ports like TCP61616, TCP2020 and TCP2030 and UDP20514. kind of stickt environmnet. am using the web login credentials as opposed to the CLI credential. please, let me know what could be causing this failure

You need all the ports open for this to work. You also need dns with ptr records for this to work also. Please look make sure these are in place and try again.

Sent from Cisco Technical Support iPad App

can you tell me why we need these TCP pors (2020 and 2030). we don't have voice network.

Thanks

Kerim,

This is not for voice calls, the calls in this context is referring to the RMI processes:

http://www.javacoffeebreak.com/articles/javarmi/javarmi.html

Thanks,

Tarik Admani
*Please rate helpful posts*

thanks tarik!

Tarik,

Things changed a bit. previously TCP port 2000 is all you need for database replication. now a bunch of ports. i used to be java programmer. infact certified java programmer. look at me know (asking about RMI). i will request DNS entry and also firewall ports to be opened and will give it a shoot tomorrow.

thanks Tarik.

Hi Tarik,

the PTR recods created and the required ports opened (TCP 2638,61616,2020,2030,UDP 20514) unidirectional (from primary to secondary. i used both the CLI and web login credentials (not sure which one i should be using). still no success of registering the secondary to primary. is there some change to made on the primary as a first step? anything i can be missing?

thanks,

kerim

Can you please try port 443 also, please make sure that the ports are open in both directions.

Also is there an existing secondary node entry on the primary deployment page? If so, please delete that and try again.

Thanks,

Tarik Admani
*Please rate helpful posts*

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: