Prime NCS: TACACS+ Integration into ACS 5.1

alex.dersch · ‎12-12-2011

Hello,

i'd like to integrate TACACS+ Integration into NCS.

I configured my ACS 5.1 correctly, but I get an "Access is denied to NCS" at the web login page. In the ACS i see a successful authentication.

Any ideas?

regards

Alex

Here is my Shell Profile Configuration

Scott Fella · ‎12-12-2011

How do you have your servie-type configured on ACS. It should be set to login.

-Scott
*** Please rate helpful posts ***

alex.dersch · ‎12-12-2011

Hi Scott,

thanks for your help,

it is set to Device Administration.

I can only choose Network Access, Device Administration and Radius Proxy

Scott Fella · ‎12-12-2011

There is another setting somewhere in ACS to define the service type as login. I will try to find it... might take some thime though, since I have to find a box to look at.

-Scott
*** Please rate helpful posts ***

alex.dersch · ‎12-12-2011

I finally could log in, but not the default Ambassador view.

Thats really strange. Here is the authorization result from my ACS server.

{Type=Authorization; Author-Reply-Status=PassAdd; AVPair=role0=Lobby Ambassador; AVPair=task0=GLOBAL; AVPair=task1=Lobby Ambassador User Preferences; AVPair=task2=Basic; AVPair=task3=Configure Guest Users; AVPair=task4=Check License; AVPair=virtual-domain0=ROOT-DOMAIN; }

Scott Fella · ‎12-12-2011

Is the username (lobby admin) also part of another group by chance?

-Scott
*** Please rate helpful posts ***

alex.dersch · ‎12-12-2011

no, i started with an ACS user lobbyadmin, the last test i did where done with an active directory user called dersa. i mapped this user to an ACS User Group called NCS Lobby Ambassador.

I created also a shell profile for root, when i change the shell profile from NCS Lobby Ambassador to NCS Root Admin the user cannot log on anymore.

Scott Fella · ‎12-12-2011

I’m going to have to see how I have it setup in my lab.

-Scott
*** Please rate helpful posts ***

ramkris2 · ‎12-15-2011

Hi Alex,

What browser are you using ? If it's Internet Explorer, please install the "chrome frame" plugin & then try the login

Ram

alex.dersch · ‎12-16-2011

Hi,

i updated NCS to the latest release. It's working now. The problem was in the task list provided with the previous version. in the version the Task Lists were fixed.

thanks a lot for your support.

alex

SHANNON WYATT · ‎01-25-2012

I'm having the exact problem you had. I copied the TACACS tast list and setup the access policy, but the thing isn't functioning correctly. The task list I have is the following:

role0=Lobby Ambassador

task0=Lobby Ambassador User Preferences

task1=Configure Guest Users

task2=License Check

I've also added the virtual domain to the list:

virtual-domain0=ROOT-DOMAIN

I'm current on the code rev. Is this your task list?

SHANNON WYATT · ‎01-25-2012

Doh! Answered my own question. Looks like the virtual domain needs to be first.

Reginald Pugh · ‎03-22-2013

How do you integrate NCS to TACACS and use AD to define the "role". Do not want to have to create user in NCS in AAA, just use AD to authenticate the users that are already in a Group in AD.

Thanks much

SHANNON WYATT · ‎03-22-2013

You map a group to the role. I hope that makes sense.

alex.dersch · ‎03-23-2013

Yes that's correct. You map the AD users to roles.

Sent from Cisco Technical Support iPad App