Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Bronze

Authenticate NCS 1.0 Login vs. ACS 5.3

I'm trying to manages the NCS WebGUI users via ACS 5.3. When I try to login with my user "TESTUSER" I'll receivce the following message:

"No authorization information found for Remote Authenticated User. Please check the correctness of the associated task(s) and Virtual Domain(s) in the remote server"

At the NCS Server I've configured:

1.

Administration > AAA > TACACS+ Servers = Added Tacacs Server 1

Administration > AAA > TACACS+ Servers = Added Tacacs Server 2

2.

Administration > AAA > AAA Mode Settings = Tacacs+

Enable fallback to Local - on auth failure or no server response is checked

--- !! ACS and NCS are in the same subnet !! ---

At the ACS Server I've configure

1.

Users and Identity Stores > Internal Identity Stores > Users = TESTUSER + Password = abcd1234ABCD + Member of NCS-ADMIN

2.

Network Resources > Network Devices and AAA Clients = Added NCS with vaild Tacacs key

3.

Access Policies > Access Services = Name: AS LOGIN TACACS - Service Type: Device Administration - Included Policies: Identity & Authorization

4.

Access Policies > Access Services > Service Selection Rules = Name: EnabledSSR-Rule-1 && NDG:Device Type: -ANY- && NDG:Location: -ANY-  && match Tacacs > AS LOGIN TACACS

5.

Access Policies > Access Services > AS LOGIN TACACS > Identity = Internal Users

6.

Policy Elements > Authorization and Permissions  > Device Administration > Shell Profiles: NCS-ADMIN-LOGIN > Custom attributes

     role0=Root

     virtual-domain0=ROOT-DOMAIN

     task0=Users and Groups

     task1=Audit Trails

     task2=TACACS+ Servers

     task3=RADIUS Servers

     task4=Logging

     task5=License Center

     task6=Scheduled Tasks and Data Collection

     task7=User Preferences

     task8=System Settings

     task9=Diagnostic Information

     task10=View Alerts and Events

     task11=Email Notification

     task12=Delete and Clear Alerts

     task13=Pick and Unpick Alerts

     task14=Configure Controllers

     task15=Configure Templates

     task16=Configure Config Groups

     task17=Configure Access Points

     task18=Configure Access Point Templates

     task19=Configure Choke Points

     task20=Monitor Controllers

     task21=Monitor Access Points

     task22=Monitor Clients

     task23=Monitor Tags

     task24=Monitor Security

     task25=Monitor Chokepoints

     task26=Mesh Reports

     task27=Client Reports

     task28=Performance Reports

     task29=Security Reports

     task30=Location Server Management

     task31=View Location Notifications

     task32=Maps Read Only

     task33=Maps Read Write

     task34=Client Location

     task35=Rogue Location

     task36=Planning Mode

     task37=Ack and Unack Alerts

     task38=Migration Templates

     task39=Configure Spectrum Experts

     task40=Monitor Spectrum Experts

     task41=Auto Provisioning

     task42=Voice Audit Report

     task43=Virtual Domain Management

     task44=Scheduled Configuration Tasks

     task45=Configure WiFi TDOA Receivers

     task46=Configure ACS View Servers

     task47=Monitor WiFi TDOA Receivers

     task48=RRM Dashboard

     task49=Config Audit Dashboard

     task50=High Availability Configuration

     task51=Health Monitor Details

     task52=Configure WIPS Profiles

     task53=Global SSID Groups

     task54=Configure Lightweight Access Point Templates

     task55=Configure Autonomous Access Point Templates

     task56=Handover Server Management

     task57=Monitor Handover Server

     task58=Configure Ethernet Switch Ports

     task59=Configure Ethernet Switches

     task60=Device Reports

     task61=Network Summary Reports

     task62=Compliance Reports

     task63=Report Launch Pad

     task64=Run Reports List

     task65=Saved Reports List

     task66=Report Run History

     task67=Database Query and Update

     task68=Ack and Unack Security Index Issues

     task69=View Security Index Issues

     task70=Monitor Media Streams

     task71=Monitor Interferers

     task72=Voice Diagnostics

     task73=CleanAir Reports

     task74=ContextAware Reports

     task75=Automated Feedback

     task76=TAC Case Attachment Tool

7.

Access Policies > Access Services > AS LOGIN TACACS > Authorization =

rule-1   NDG:Device Type: -ANY- && NDG:Location: -ANY- && Identity Group: in All Groups:NCS-ADMIN && Shell Profile: NCS-ADMIN-LOGIN

9 REPLIES
New Member

Authenticate NCS 1.0 Login vs. ACS 5.3

The symtom was the same then I put the virtual-domain row to the end. After that I coud login to the NCS using my tacacs+ account.

Bronze

Authenticate NCS 1.0 Login vs. ACS 5.3

I've solved the first step with this document. The main problem was the virtual-domain numbering.

https://supportforums.cisco.com/docs/DOC-17909

Now in second step, I would like to know if I can also define, whitch building, floor, etc. is only allowed.

New Member

Authenticate NCS 1.0 Login vs. ACS 5.3

I had the same problem trying to authenticate NCS through ACS5.3 via TACACS but fixed it using the top post.

New Member

Re: Authenticate NCS 1.0 Login vs. ACS 5.3

"The symtom was the same then I put the virtual-domain row to the end. After that I coud login to the NCS using my tacacs+ account."

can you give me a hint? 

my virtual-domain is currently "ROOT-DOMAIN", so I put username as "ROOT-DOMAIN/steve" but no luck.

I am not using ACS, but TACACS.net software, which is working great with switch and router so far.

But only PI can't add to TACACS.

New Member

Authenticate NCS 1.0 Login vs. ACS 5.3

Hello,

Could you try this procedure :

(1)  Open the URL after login into PI - https:///webacs/ncsDiag.do?

(2)  Click on "DB Update

(3) Run the Following Query - DELETE FROM wcspreference WHERE key='defaultPartition'

(4)restart the PI.

New Member

Re: Authenticate NCS 1.0 Login vs. ACS 5.3

Hi everybody

I had the same issue, after migration from wcs 7.0 to ncs 1.1, uprade to PI 1.3, TACACS+ did not work, I always got this message:

"No authorization information found for Remote Authenticated User. Please check the correctness of the associated task(s) and Virtual Domain(s) in the remote server"

ACS 5.3 was set up properly (it did work with WCS).

After applying th above procedure, TACACS+ login now works.

Thanks Paul

Daniel

New Member

Authenticate NCS 1.0 Login vs. ACS 5.3

I'm having the same issue with tacacs.net.  It works great with routers/switches, but I can't get the authorization piece to work for NCS.  I tried the virtual-domain at the top of the list and the bottom, but neither worked.  Anyone have a solution?

Thanks,

New Member

Authenticate NCS 1.0 Login vs. ACS 5.3

Prime Infrastructure 1.2 (Old CiscoWork, LMS, NCS) authentication through TACACS.net: In order for PI to authenticate through TACACS, vendor specific attribute needs to be added in TACACS  (or RADIUS) There are two attributes that TACACS (or RADIUS) should have. (virtual-domain / role) Unfortunately, I couldn't find out how to add those two attributes in TACACS, but definitely below section is for VSAs. I used alternative solution for PI with RADIUS which we already have for wireless access.

Good luck for your search. If you find syntax, let me know.

New Member

Authenticate NCS 1.0 Login vs. ACS 5.3

I had the same output after doing a backup/restore to a new VM. I had to update the tacacs server ip.

Administration  ->   Users, Roles, & AAA  ->  TACACS   

     Local Interface IP

10999
Views
15
Helpful
9
Replies
CreatePlease to create content