I have a CiscoSecure ACS v.3.3 that is configured to use MS AD LDAP for authentication for users. I have set an AS5350 to use TACACS+ to authenticate enable events.
It works ok, all of the external DB users get pulled into the ACS from Active Directory fine. The problems are:
1) For each user, on the ACS, in the Advance TACACS+ Settings section, the TACACS+ Enable Password defaults to Use Separate Password.2) For certain users that are in multiple groups in AD that are linked in the ACS, some users get authenticated against a group that doesn't have TACACS+ Enable priviledges.
Example: two users, user1 and user2
IN Active Directory: user1 is in groups WebVPN, and RouterAdmin user2 is in group Router Admin
In the ACS: AD group WebVPN is mapped to an ACS Group called WebVPN (group 2 in the list) AD group RouterAdmin is mapped to RouterAdmin (group 10 in the list)
WebVPN group has no Enable or TACACS+ options RouterAdmin group has TACACS+ and Enable options set.
On the AS5350 when user1 logs in and tries to Enable, he is denied with an External DB Account restrictions and it lists WebVPN as the group the user was authenticated against.
user2 logs into the AS5350 with no problems.
Questions:
1) How can a user that is in two AD groups that are being called from the ACS get authenticated through the right group for enable 2) Can the user default be set for TACACS+ Enable password to go to LDAP? There is no password choice setting for the group, and it seems silly to use group TACACS+ configuration on the TACACS+ options page if you have to manually go to every user and specify the password choice