12-12-2011 06:48 AM - edited 07-03-2021 09:12 PM
Hello,
i'd like to integrate TACACS+ Integration into NCS.
I configured my ACS 5.1 correctly, but I get an "Access is denied to NCS" at the web login page. In the ACS i see a successful authentication.
Any ideas?
regards
Alex
Here is my Shell Profile Configuration
12-12-2011 07:51 AM
How do you have your servie-type configured on ACS. It should be set to login.
12-12-2011 07:58 AM
Hi Scott,
thanks for your help,
it is set to Device Administration.
I can only choose Network Access, Device Administration and Radius Proxy
12-12-2011 08:02 AM
There is another setting somewhere in ACS to define the service type as login. I will try to find it... might take some thime though, since I have to find a box to look at.
12-12-2011 11:53 AM
I finally could log in, but not the default Ambassador view.
Thats really strange. Here is the authorization result from my ACS server.
{Type=Authorization; Author-Reply-Status=PassAdd; AVPair=role0=Lobby Ambassador; AVPair=task0=GLOBAL; AVPair=task1=Lobby Ambassador User Preferences; AVPair=task2=Basic; AVPair=task3=Configure Guest Users; AVPair=task4=Check License; AVPair=virtual-domain0=ROOT-DOMAIN; }
12-12-2011 12:40 PM
Is the username (lobby admin) also part of another group by chance?
12-12-2011 12:53 PM
no, i started with an ACS user lobbyadmin, the last test i did where done with an active directory user called dersa. i mapped this user to an ACS User Group called NCS Lobby Ambassador.
I created also a shell profile for root, when i change the shell profile from NCS Lobby Ambassador to NCS Root Admin the user cannot log on anymore.
12-12-2011 01:02 PM
I’m going to have to see how I have it setup in my lab.
12-15-2011 09:24 AM
Hi Alex,
What browser are you using ? If it's Internet Explorer, please install the "chrome frame" plugin & then try the login
Ram
12-16-2011 05:19 AM
Hi,
i updated NCS to the latest release. It's working now. The problem was in the task list provided with the previous version. in the version the Task Lists were fixed.
thanks a lot for your support.
alex
01-25-2012 03:12 PM
I'm having the exact problem you had. I copied the TACACS tast list and setup the access policy, but the thing isn't functioning correctly. The task list I have is the following:
role0=Lobby Ambassador
task0=Lobby Ambassador User Preferences
task1=Configure Guest Users
task2=License Check
I've also added the virtual domain to the list:
virtual-domain0=ROOT-DOMAIN
I'm current on the code rev. Is this your task list?
01-25-2012 03:15 PM
Doh! Answered my own question. Looks like the virtual domain needs to be first.
03-22-2013 06:51 PM
How do you integrate NCS to TACACS and use AD to define the "role". Do not want to have to create user in NCS in AAA, just use AD to authenticate the users that are already in a Group in AD.
Thanks much
03-22-2013 08:34 PM
You map a group to the role. I hope that makes sense.
03-23-2013 03:33 AM
Yes that's correct. You map the AD users to roles.
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide