Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ACS questions

Hi, everyone

I am using the ACS version 5.4 and my job is to grant a connection between the ACS and an Active Directory.

At this points, there is no problem.

But I have menu items that I dont understand, like:

1.) What is the difference between the Default Device Admin and the Default Network Access?   

           - And what means Identity?

My idea regarding Identity is, that it is an if-query in the Compund Condition, where you say for instance, if Email not equals say value "Wrong loggdata" or Email equals "Email is correct".

Is this correct?

2.) And secoundly how can I test the ACS of the AAA-Model?

3.) Should I creat a RADIUS-Client in the Active Directory?

I hope some of you can help me.

sunny greetings

Slawa

Comments
Cisco Employee

Hi Slawa,

I think you initiated your question as a document. It should be opened up as Discussion.

Anyways, Let me try to answer your question.

ACS 5.4 is preconfigured with two default access services, one for device administration and another for network access. You can edit these access services.

We use Default device admin for device administration using tacacs as a protocol like SSH, TELNET, HTTP session administration. However, we use Default network Access for Network access using Radius protocol for wireless, vpn etc.

Identity : We use identity to check to include an identity policy in the access service, to define the identity store or stores that ACS uses for authentication and attribute retrieval. It could be Active directory, LDAP, RSA, Internal User etc where we have our user database.

The radius or tacacs aaa-client you need to create in ACS > Network Resources. Once created, you may test the user authentication by running a test command from the IOS CLI (assuming you have IOS configured for AAA/radius authentication)

test aaa group radius username password legacy

for more information you may go through the end user guide:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/access_policies.html

Hope it helps.

Regards,

Jatin

New Member

Hi Jatin,

thank you for the answer's, that help me a lot

Cisco Employee

Glad, I was able to help you.

Cheers.

-Jatin

New Member

Hey everyone again,

My problem is currently not solved.

Maybe I should explain the scenario.

At this moment I am a trainee in a company and they gave me the project to "upgrade" their existing ACS 4.0 to Version 5.4.

My test devices that I have are, a cisco Accesspoint(WPA4410N), a VM where the ACS is running and an active directory.

My job is to grant an usual Authentication to the work environment, like WLAN access, Linux Server and so on.

At this point is to say, that I have no idea how I should handle this. I used a lot of time to read the Cisco guides, but there is so much information. I know the basic steps but that was is.

Don't miss understand me, I don't want that some of you do my work. I need only a little bit help for new comer.

I test a lot but without useful results, I cant access the Cisco Access Point...

I hope you can help me.

Regards,

Slawa

Cisco Employee

I think you need to start with migration first. If that goes smooth then we can talk about specific scenarios.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/migration/guide/Migration_support.html#wp999713

-Jatin

New Member

Version 5.4 dont support a migration from 4.0.x, so I need to start by 0%

-Slawa

Cisco Employee

Yes, you're correct. ACS 5 doesn't support migration from 4.0.x!!!

You need to first upgrade the ACS 4.0 server to one of the below listed ACS codes. That would not take more than 30 mins.

You can migrate the following ACS 4.x versions:

ACS 4.1.1.24

ACS 4.1.4

ACS 4.2.0.124

ACS 4.2.1

-Jatin

New Member

Okay i get it

My acs works well, thanks for your help.

I tested it with an Access Point successfully.

Now I need to test it with a Linux-system. They gave me the job to create a new OpenSuse 12.1 Server with the pam_radius(pam_radius-1.3.16-228.1.2.i586.rpm).

My problem is that I cant start that radius, because I cant see the deamon in the "ps aux".

I configured the /etc/raddb/server and /etc/pam.d/sshd and now I don't know how to start it, because it is not easy to find impotent stuff in relation to pam_radius, everywhere is Free-Radius in use

Maybe you can help me how I can solve the problem.

Slawa

New Member

Okay I solve the problem...

I entry in the /etc/raddb/server the wrong port, I mixed up the CoA and the standard Radius port :/

Everything working fine now!

Regards,

Slawa

Cisco Employee

ok great.

347
Views
0
Helpful
10
Comments