18-13
User
Guide

for

the

Cisco

Application

Networking

Manager

5.2
OL-26572-01
Chapter
18






Administering

the

Cisco

Application

Networking

Manager
Configuring
User

Authentication

and

Authorization
Step
5
Click
Save.
Related
Topics


Managing
User
Accounts,

page
18-17
ANM
Unique

IDs
Field
that

appears

only

when

the

Remote

Authorization

check

box

is

checked

for

a
TACACS+
server.

Enter

the

value

that

matches

the

ANM

identifier

that

you

configure
on
the

TACACS+

server

(see

the

“Configuring

Remote

User

Authorization

Using

a
TACACS+
Server”

section

on

page

18-45 ).

The

default

value

is

ANM.
Depending
on

how

you

configure

the

TACACS+

server

for

user

authorization,

you

may
need
to

specify

multiple,

comma-separated

ANM

IDs

in

the

ANM

Unique

IDs

field

as
follows:
anm_1,anm2,anm3
For
example,

when

configuring

ANM

user

authorization

on

the

TACACS+

server,

you
can
use

a

maximum

of

160

characters

to

specify

an

ANM

unique

ID

and

associated

user
role
and

user

domain

information.

To

work

around

this

limitation,

on

the

TACACS+
server
you

can

specify

additional

domain

information

for

the

role

by

entering

multiple
ANM
id

entifiers.
When
multiple

ANM

organizations

share

the

same

TACACS+

server,

specify

a
different
ANM

i

dentifier

for


each

organization.
When
multiple

ANMs

share

the

same

TACACS+

server,

specify

a

different

ANM
identifier
for

each

ANM.
Fallback
to

Local
Enables
ANM

to

use

local

authentication

(and

local

user

authorization

for

TACACS+
applications)
if

the

remote

primary

and

secondary

AAA

servers

are

not

available,

such
as
when

there

is

a

timeout

issue,

connectivity

issue,

wrong

IP

address,

and

so

forth.
Note
To
use

the
fallback
option,

you

must

configure

a

local

user

on

ANM

that

ANM
can
use

when

fallback

is

invoked.
When
you

enable

Fallback

to

Local

for

RADIUS

and

AD/LDAP,

ANM

falls

back

to
local
user

authentication

only

when

the

AAA

server

is

unreachable.

If

the

AAA

server
is
reachable

but

remote

authentication

fails,

ANM

does

not

fall

back

to

local

and

the
login
i

s

rejected.
When
you

enable

Fallback

to

Local

for

TACACS+,

ANM

falls

back

to

local

user
authentication
and

authorization

only

when

the

AAA

server

is

unreachable.

If

the
remote
server

is

reachable

but

remote

authentication

fails,

ANM

does

not

fall

back

to
local
and

the

login

is

rejected.

If

Remote

Authorization

is

not

enabled,

after

remote
authentication
is

complete,

ANM

performs

user

authorization

by

checking

the

local
user
for

role

and

domain

information.

If

Remote

Authorization

is

enabled

and

no

valid
role
or

domain

information

is

found

on

the

TACACS+

server,

including

the

ANM

IP
attributes
not

being

set

on

the

TACACS+

server,

ANM

does

not

fall

back

to

the

local
user
and

rejects

the

login

(see

the

“Configuring

Remote

User

Authorization

Using

a
TACACS+
Server”

section

on

page

18-45 ).
Table
18-2
Organization
Attributes

(continued)
Attribute
Description