Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
584
Views
5
Helpful
3
Replies

ACS not authorising Security Manager devices

colin.lynch
Level 4
Level 4

‎08-06-2009 04:52 AM - edited ‎02-21-2020 10:23 AM

Hi I have a setup ACS 4.1 CS-Manager 3.2.2

I have intergrated the CS-Manager into ACS with no problems.

However when I try to add devices into the CS-Manager I get the message "The Device is not in the Cisco Secure ACS"

I have one wildcard entry encompassing all devices and the CS-Manager (TACACS+ (cisco IOS))

I am wondering if CS-Manager is not liking the wildcards.

Unfortunatley as we have 500 or so production devices already using this entry I am not in a position to remove it to test my theory at present.

Any one know if Wildcards are supported for authorising CS-Manager devices?

Regards

Colin

Labels:
0 Helpful
3 Replies 3

colin.lynch
Level 4
Level 4

‎08-06-2009 08:01 AM

Common Services says its Authorised by ACS, but Security Manager isn't convinced.

0 Helpful

koeppend
Level 4
Level 4
In response to colin.lynch

‎08-12-2009 10:03 PM

Colin

Assumption: you have CSM's common services integrated correctly into ACS, first with a admin account in acs with full rights and second with the system identity user and pass in the ACS server with full rights as a user (not admin portal) and during the setup of AAA in CS you used the [tick box] to push out the authorization categories from CS into ACS.

Assumption: you have a super admin group in ACS setup that has full rights to CSM authorization categories that was pushed into ACS from Common Services when you first setup AAA in CS. And you have setup a user that is part of that the ACS super admin group.

Three things to check.

1. Under ACS, click the 'Share Profile Components' buttom, check that Common services has pushed out the Authorization categories into ACS, you should see CSM and auto update modules. Drill down into the CSM and check to see which authorization category gives the most access, should be 'System Administrator', make sure that all the tick boxes in this profile is all ticked with no gray or shaded boxes.

2. The user account your logging into CSM is part of the ACS super user group that you created. Check the ACS super user group is correctly matching the CS-manager authorization categories. i.e make sure that you have matched the group that you checked in my previous point, 'System Administrator' or what ever group you created that gave full rights.

3. Finally, you must have the device listed in your network device groups in ACS. Remembering that CSM will check against the ACS's NDG lists and WILL also matches against a FQDN, so if you added domain information into a device in CSM then the device listed in ACS will need to be the FQDN, if its not, then remove the domain name info from CSM and test. (EDIT: This might have been fixed in 3.2.2 not 100% sure but it broke my network in 3.1). I'm going to take a wild stab in the dark and say that the wild card might be failing you because it doesnt match between CSM host name and domain name sections to the ACS host name.

Dale

Oh one final test you can try, log into the end device manually using telnet or ssh using the system identity user and pass. Just double check that the account gets access to the device via tacacs and that you can perform enable access type functions using this account.

colin.lynch
Level 4
Level 4
In response to koeppend

‎08-13-2009 06:01 AM

Hi Dale

Thanks for the reply

I am fairly happy CSM and ACS are correctly intergrated and your first two points above are certainly configured.

I feel the issue lies with your 3rd point.

As the client uses a wildcard mask to cover there hundred or so devices, I cannot add more granular devices within the same range using the same auth method (TACACS+ Cisco IOS) Common services says they are authorized but CSM says not.

I have added all firewall devices into CSM in non ACS mode, but when I switch back to ACS mode they are no longer listed (As I guess are unauthorised)

Regards

Colin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents