Document ID: 116358
Updated: Aug 23, 2013
Contributed by Minakshi Kumar, Cisco TAC Engineer.
This document provides a configuration example for TACACS+ authentication and authorization on the Cisco Prime Network Control System (NCS) Release 1.1.
Ensure that you meet these requirements before you attempt this configuration:
- Define NCS as a client in the Access Control System (ACS).
- Define the IP address and an identical shared-secret key on the ACS and NCS.
The information in this document is based on these software and hardware versions:
- ACS Version 5.4
- NCS Prime Release 1.1
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
In this section, you are presented with the information used in order to configure the features described in this document.
Add ACS as a TACACS Server
Complete these steps in order to add ACS as a TACACS server:
- Navigate to Administration > AAA.
- From the left sidebar menu, choose TACACS+, and this information displays:
The TACACS+ page shows the IP address, port, retransmit rate, and authentication type.
- Add the IP address of the ACS server.
- Enter the TACACS+ shared secret used by the ACS server.
- Reenter the shared secret in the Confirm Shared Secret text box.
- Leave the rest of the fields on their default setting.
- Click Submit.
AAA Mode Settings
In order to choose an Authentication, Authorization, and Accounting (AAA) mode, complete these steps:
- Navigate to Administration > AAA.
- Choose AAA Mode from the left sidebar menu, and this information displays:
- Choose TACACS+.
- Check the Enable Fallback to Local check box if you want the administrator to use the local database when the external AAA server (ACS) is down. This is recommended so that authentication still occurs if the TACACS+ server fails. Once the configuration is verified and works, you can make changes, if desired.
ACS Version 5.4 Configuration
For ACS Version 5.4 configuration, you must complete these steps in order to send attributes from the ACS to the NCS:
- Retrieve the attributes:
- Navigate to Administration > AAA > User Groups.
- This example shows administrator authentication. Look for the Admin Group Name in the list, and click the Task List option on the right.
- Export and save the attributes to the desktop.
- Log in to the ACS Admin GUI, and navigate to Policy Elements > Authentication and Permissions > Device Administration > Shell Profiles in order to create a Shell Profile.
- Name the profile NCS.
- From the Custom Attributes tab, enter these values:
Attribute Requirement Value
role0 Mandatory Admin
task0 Mandatory GLOBAL
task1 Mandatory View Alerts and Events
Virtual-domain0 Mandatory ROOT
- Submit the changes in order to create an attribute-based role for the NCS.
- Navigate to Access Policies > Access Services > Default Device Admin > Identity, and choose Internal Users for the Identity Source.
- Create a new authorization rule or edit a rule that already exists in the correct access policy. By default, TACACS+ requests are processed by the Default Device Admin access policy.
- In the Conditions area, choose the appropriate conditions. In the Results area, choose NCS for the Shell Profile.
- Click OK.
Log in to the NCS, and confirm that you have the Admin role.
If you cannot log in to the NCS, log in to the ACS GUI and navigate to Monitoring and Reports > Catalog > AAA Protocols > TACACS+ Authentication. Select the failed authentication, and choose Details in order to see why the authentication failed or was rejected.
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.