CiscoSecure ACS v. 3.3 user TACACS+ password choice defaults not LDAP

I have a CiscoSecure ACS v.3.3 that is configured to use MS AD LDAP for authentication for users. I have set an AS5350 to use TACACS+ to authenticate enable events.

It works ok, all of the external DB users get pulled into the ACS from Active Directory fine. The problems are:

1) For each user, on the ACS, in the Advance TACACS+ Settings section, the TACACS+ Enable Password defaults to Use Separate Password.

2) For certain users that are in multiple groups in AD that are linked in the ACS, some users get authenticated against a group that doesn't have TACACS+ Enable priviledges.

Example: two users, user1 and user2

IN Active Directory: user1 is in groups WebVPN, and RouterAdmin user2 is in group Router Admin

In the ACS: AD group WebVPN is mapped to an ACS Group called WebVPN (group 2 in the list) AD group RouterAdmin is mapped to RouterAdmin (group 10 in the list)

WebVPN group has no Enable or TACACS+ options RouterAdmin group has TACACS+ and Enable options set.

On the AS5350 when user1 logs in and tries to Enable, he is denied with an External DB Account restrictions and it lists WebVPN as the group the user was authenticated against.

user2 logs into the AS5350 with no problems.


1) How can a user that is in two AD groups that are being called from the ACS get authenticated through the right group for enable 2) Can the user default be set for TACACS+ Enable password to go to LDAP? There is no password choice setting for the group, and it seems silly to use group TACACS+ configuration on the TACACS+ options page if you have to manually go to every user and specify the password choice
Reply to
Loading thread data ...

We had a similar dilemma many years ago when using ACS 3.2 and an AS5200 used for dialin. Our solution was to use a two ACS servers, one for dialin AAA and another for router AAA. On the AS5350 you can setup different tacacs-server groups for authentication, authorization and accounting and point VPN AAA to one server, and router AAA to the other. The problem is that there isn't anyway for the ACS server to know what context the router is requesting AAA, which in your case is either VPN or access to the AS5350. If the usernames were different, you could do this one ACS server. I don't think upgrading to ACS 4.1 would fix this problem either.


Reply to

This is a sole matter of sequence that you configure the groups in. The Auth request can respond true or false, but exits on the first true, just like ACL. Hence the ordering of groups are important.

-Yes Also you could solve your "problem" by assigning the user the TACACS right they need, on user level. User level will override group level settings.

This is not true, allthough there might be options that you have choosen not to view in the html pages. This you can change - i.e. what options that you what to be displayed, and hence configurable. (Can't exactly recall where, and I am not in front af a ACS right now.)

HTH Martin Bilgrav

Reply to
Martin Bilgrav Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.