Security

Reply
Frequent Contributor II
Posts: 109
Registered: ‎01-01-2012

ACS 5.3 tacacs with Controller

Hi 

I am trying to integrate ACS 5.3 with Aruba Controller for managment authentication using Tacacs protocol.

On controller I have created Tacacs server entry added it to server group. Server group is applied to mgmt authentication. This server group has internal server as first option and acs as second with fail through enabled. I can successfully test from controller AAA test server with PAP but with mschap its failing. Also for mgmt auth  SSH/ GUI I am not able to use tacacs - acs based login.any config missing ... 

Guru Elite
Posts: 20,583
Registered: ‎03-29-2007

Re: ACS 5.3 tacacs with Controller

What is the error message on the ACS?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 109
Registered: ‎01-01-2012

Re: ACS 5.3 tacacs with Controller

I could see log for successful tacacs auth which happens when I try from AAA test server with PAP. No log for tacacs when request done while logging into controller or AAA test server With Mschap
Guru Elite
Posts: 20,583
Registered: ‎03-29-2007

Re: ACS 5.3 tacacs with Controller

Post a screenshot of your management server setup with the tacacs server.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 109
Registered: ‎01-01-2012

Re: ACS 5.3 tacacs with Controller

Hi Colin

Sorry but currently I don't have access to controller hence can't share the screenshot.
The config is like this
1. Created a Tacacs server , provided IP and shared secret. All other default. Authorization enabled.
2. Created a server group which has first entry as internal server and second as above mentioned tacacs server. But there is no server derived rule.
3. In Management authentication I have selected new server group. There is one option for mschap for radius but I believe that is unchecked.

- Harshad
Guru Elite
Posts: 20,583
Registered: ‎03-29-2007

Re: ACS 5.3 tacacs with Controller

In the  "Management Authentication Servers box", there is a checkbox called "Enable".  Make sure that is checked so that it uses the server group you created and listed in the box, otherwise it will not send management authentications to it.  You do not need to put the internal database in the server group.  The internal database is separate from the management users that are configured locally on the box.  Local Management users are limited to 10.  Adding the Internal Database to the Management authentication server group allows you to authenticate management users from the Configuration> Security> Authentication> Localdb list and get around the 10 user limitation.  It unfortunately allows any guest users that are configured in there to log into the controller, so DO NOT add the internal database to the Management Authentication Servers server group.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 109
Registered: ‎01-01-2012

Re: ACS 5.3 tacacs with Controller

Hi Colin

Thanks for the detailed information.
Yes the 'management auth server box ' is enabled.

Will Controller send the requests using mschap? When i check from AAA test server with PAP its working I think there should be some option to select auth methods on ACS side..similar to CPPM policies..
Guru Elite
Posts: 20,583
Registered: ‎03-29-2007

Re: ACS 5.3 tacacs with Controller

I have never used mschap with management authentication or tactics.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 1
Registered: ‎12-09-2014

Re: ACS 5.3 tacacs with Controller

Is there a guide on how to configure the Aruba controller with ACS nad vice versa?

Search Airheads
Showing results for 
Search instead for 
Did you mean: