ACE and AAA (TACACS+)

Answered Question

Hi there,

i have a little problem with tacacs+ and the ace module.

i have configured aaa authentication with tacacs. The authentication with the ACS works fine. But when i am logged in on the ACE module, i can't work with the command configure... when looked on the user informations i see that i am logged in with the role "Network-Monitoring".

How can i map a user from the ACS (Tacacs) to the role admin ?

Have i do some configuration on the ACS or on the module ???

On CCO i found nothing about mapping. Only something with LDAP (is this eventually the solution)

Thanks a lot for answers an best regards..

Dirk

I have this problem too.
0 votes
Correct Answer by Roble Mumin about 9 years 6 months ago

You have to submit the role during authentication and authorization. The info you are looking for is in the security guide. Check the following link which explains your issue very well.

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_guide_chapter09186a0080686bbb.html#wp1519045

[quote]

The user profile attribute serves an important configuration function configuration for a TACACS+ server group. If the user profile attribute is not obtained from the server during authentication, or if the profile is obtained from the server but the context name(s) in the profile do not match the context in which the user is trying to log in, the default role (Network-Monitor) and default domain (default-domain) will be assigned to the user provided the authentication is successful.

[quote end]

Hope that helps...

Roble

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Roble Mumin Wed, 07/11/2007 - 12:04

You have to submit the role during authentication and authorization. The info you are looking for is in the security guide. Check the following link which explains your issue very well.

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_guide_chapter09186a0080686bbb.html#wp1519045

[quote]

The user profile attribute serves an important configuration function configuration for a TACACS+ server group. If the user profile attribute is not obtained from the server during authentication, or if the profile is obtained from the server but the context name(s) in the profile do not match the context in which the user is trying to log in, the default role (Network-Monitor) and default domain (default-domain) will be assigned to the user provided the authentication is successful.

[quote end]

Hope that helps...

Roble

Actions

This Discussion