Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

what is the use of status field in ACS 5.3

                   users whose status is manually disabled don not have difficulty in authenticating and access managing nework devices. that makes me wonder what is the difference between status enabled and disabled?

Thanks,

Kerim

Everyone's tags (6)
3 ACCEPTED SOLUTIONS

Accepted Solutions

what is the use of status field in ACS 5.3

Kerim,

I just can't get Radius work the way it used to in acs4.2. it is as if  RADIUS is dedicated to default network access as opposed to deault  network admin.

You are correct, the default network access template is for radius based authentication, you can not assign a shell profile since that is for tacacs.. When you create a new access-service it either uses a tacacs or radius template.

even when i let RADIUS being used to default netowrk  access, i was not able to associate profile-shell that allows Priv-level  15.

Make sure that your authorization profile has the right cisco-av-pair assigned (shell:priv-lvl=15).

in acs 4.2 if you are in admin group u just see the switch # prompt  but in ACS5.3 if you use RADIUS you will be in switch> prompt.

If you are passing the attribute above make sure that the command "aaa authoration exec default group radius" is configured

how  do i go about solving this? the other problem I am facing is, when my  two acs instances are standalone, they work fine but as soon as i make  one of them secondary, the secondary can't authenticate against RSA  server it just authenticates only local users. whay is that so? i  believe if we can solve this am ready to go into production with 5.3.

I can not think of why this is the case right off the top of my head. Your best bet for this issue is to open a tac case to have them setup a webex and take a look. I am sure it is something simple, but webex is the fastest method because of all the different pieces that it takes to make this work.

thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*

Re: what is the use of status field in ACS 5.3

Hi Mohammed,

ACS 5 does not have the feature of IP pools. Logically its always good to setup pools locally on vpn server and if you want user to pick ip from specific local pool you can configure acs to push that attribute.

On ACS Go to > Policy Elements  -> Network Access ->   Authorization Profiles -> Create ->
Name of the Policy ->Dictionary Type: Radius-Cisco VPN 3000/ASA/PIX7.x

Attribute Type : CVPN3000/ASA/PIX7.x-Group-Based-Address-Pools
Attribute Type: String
Attribute Value : Static MYPOOL (Name of the Pool which is defined on the ASA)

Access Policies ->Default Network Access -> Authorization ->  Create -> Under result section call the
Authorization profile.


Hope that helps!

Regards,
~JG

DO rate helpful posts

Re: what is the use of status field in ACS 5.3

Hi Kerim,

Cisco avpair is used for cisco devices only. For other 3rd party devices, separate attribute is required to be pushed by radius server.

You have to add these attributes are defined under ACS 5 GUI >System Administration => Configuration =>Dictionaries =>Protocols => RADIUS => RADIUS VSA

Then in Authorization Profiles under Policy Elements =>Authorizations=>Network access=> Authorization profiles, we need to call it.

Here is the VSA for netscreen.


Name=Netscreen

IETF Code=3224

VSA 1=NS-Admin-Privilege

VSA 2=NS-Admin-Vsys-Name

VSA 3=NS-User-Group

VSA 4=NS-Primary-DNS-Server

VSA 5=NS-Secondary-DNS-Server

VSA 6=NS-Primary-WINS-Server

VSA 7=NS-Secondary-WINS-Server

Regards,

~JG

Do rate helpful posts

44 REPLIES

what is the use of status field in ACS 5.3

Kerim,

I wanted to know how you are authenticating the clients. If you look at the report does it point to the internal database?

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Community Member

what is the use of status field in ACS 5.3

Hi Tarik,

I see what you mean. we are using sequential identity datastore. at the top of the sequence is RSA server followed by internal users. so if user is not found in RSA server fails to internal DB. for users on internal DB, the status field matters! for users on RSA server, the status field don't matter.

Community Member

Re: what is the use of status field in ACS 5.3

Tarik,

i attached screenshot of reports. jut fyi.. and thanks as usual.

Re: what is the use of status field in ACS 5.3

That is correct, are you testing with kerimtest? Because that looks like it is passing and failing, but I can see the timestamp.

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Community Member

Re: what is the use of status field in ACS 5.3

yes,  that is my internal user test account. things seem to be going fine. am in the process of installing secondary instance. i think am going to need separate license. is that right?

what is the use of status field in ACS 5.3

Yes you will need a seperate license to join this ACS to the primary ACS.

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Community Member

Re: couldn't register the secondary to the primary

                   hi Tarik,

i installed the secondary ACS server. i truied to register this to the Primary. i gave the IP Address(DNS not yet configured) and acsadmin password. but the registeration timesout saying either wrong IP address or wrong username and password. fyi, we allowed only TCP port 2638. we didn't open other ports like TCP61616, TCP2020 and TCP2030 and UDP20514. kind of stickt environmnet. am using the web login credentials as opposed to the CLI credential. please, let me know what could be causing this failure

Re: what is the use of status field in ACS 5.3

You need all the ports open for this to work. You also need dns with ptr records for this to work also. Please look make sure these are in place and try again.

Sent from Cisco Technical Support iPad App

Tarik Admani *Please rate helpful posts*
Community Member

Re: what is the use of status field in ACS 5.3

can you tell me why we need these TCP pors (2020 and 2030). we don't have voice network.

Thanks

Re: what is the use of status field in ACS 5.3

Kerim,

This is not for voice calls, the calls in this context is referring to the RMI processes:

http://www.javacoffeebreak.com/articles/javarmi/javarmi.html

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Community Member

Re: what is the use of status field in ACS 5.3

thanks tarik!

Community Member

Re: what is the use of status field in ACS 5.3

Tarik,

Things changed a bit. previously TCP port 2000 is all you need for database replication. now a bunch of ports. i used to be java programmer. infact certified java programmer. look at me know (asking about RMI). i will request DNS entry and also firewall ports to be opened and will give it a shoot tomorrow.

thanks Tarik.

Community Member

Re: what is the use of status field in ACS 5.3

Hi Tarik,

the PTR recods created and the required ports opened (TCP 2638,61616,2020,2030,UDP 20514) unidirectional (from primary to secondary. i used both the CLI and web login credentials (not sure which one i should be using). still no success of registering the secondary to primary. is there some change to made on the primary as a first step? anything i can be missing?

thanks,

kerim

Re: what is the use of status field in ACS 5.3

Can you please try port 443 also, please make sure that the ports are open in both directions.

Also is there an existing secondary node entry on the primary deployment page? If so, please delete that and try again.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
2903
Views
79
Helpful
44
Replies
CreatePlease to create content