i am running, cisco ACS 4.1(90 days trail version), in that i have created a NDG, named as "EdgeSwitches", inside to that groupi hav added AAA clients as the switches ip address which ever i require, in that i can see AAA server, also named as "cisco-acs" & the ip address "10.1.1.1". now again i wanted to added a a different NDG named as "ServerSwitchs", i am adding the switches which ever is required to be in this group, now when i add AAA server & specify the same AAA server name as "cisco-acs" with the ip address "10.1.1.1"
, i get the error "Host Already Exists" then if i change the name as cisco-acs as cisco-acs1, i get "An overlapping IP range has been detected 10.203.1.92 conflicts with cisco-acs entry of 10.1.1.1"
, how do i over come with this? because i am planning in such a way that some set of users should access EdgeSwitches" & some of users should access "ServerSwitches" with the privilege levels as per my requirement.
Create usergroups. And assigned the user that you want to have access for ServerSwitches to the group ServerSwitches and the group Edgeswitches for the group Edgeswitches etc. Then you can assign privileges per NDG in the group section. Or you can assign privileges per user also if you like.
thanks for the reply, but if i create a new NDG, i need to specify the AAA server,so when i am trying to do that, i get the error message, which i have attached to this. if it is not specified, then the switches under this NDG group will not authenticate via TACACS+ of Cisco ACS.
You do not need to mention the AAA server for a diffrent NDG group.
Just define it for one NDG.
Add another NDG and add devices to it.
Configure the devices for AAA and you should
be good to go.
I have it running in my network.
HTH, rate if it does
Hi Narayan & Adreas,
Thanks for the reply, as u have suggested i tried the same, but it is not asking for the user name & password(from the ACS), it directly asks the switch local enable password? if i wanted the switch to prompt in for user name & password, i need to put that particular switch in NDG where AAA server is specified. :(
It may be a limitation on the Evaluation version :-)
Can you share the configs done on the router and the ACS?
here is my config
aaa authentication login default group tacacs+ enable local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
tacacs-server host 10.203.1.92 key checkingtheswitch
with this configuration i could able see the log activities etc..
all switches has got the same configuration & works fine, but only if i make 1 particular switch to a different NDG i am not getting the user name & passwd prompt.
can you post the output of debug aaa authentication
also can you look in the reports and activity tab and check the reason for failures
Hi Narayan & Andreas,
i am extremely sorry, the only mistake i did is, while creating the new NDG group, key name between the switch & NDG key is different, that is the mistake i did, once again extremely sorry & thanks for your effort & quick response. small doubt, since i have added virtual IP in my windows 2000 server, i hav created a 2nd ACS AAA server(as the reason same ip address is not allowing when trying adding the new server, now it is not required as the problem which i hav identified the key mismatch), how i delete that, because i couldn't find the delete option
I didn't get the question properly, do you want to delete the 2nd ACS server you configured?
On the main Tab how many NDGs & AAA servers you can see.
Are you able to see the delete buttton for other ACS servers