ACE and AAA (TACACS+)

Answered Question

Hi there,

i have configuerd my acs with an custom attribute : shell:Admin=Admin. AAA with the ACE works fine... But now i can't login into my switches :-( i got the massage authorization failed. Here is the aaa debug from the switch :

Jul 12 13:41:38.433 UTC: AAA: parse name=tty2 idb type=-1 tty=-1

Jul 12 13:41:38.441 UTC: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0

Jul 12 13:41:38.441 UTC: AAA/MEMORY: create_user (0x16E1F28) user='NULL' ruser='NULL' ds0=0 port='tty2' rem_addr='*******' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)

Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): Port='tty2' list='' service=EXEC

Jul 12 13:41:44.590 UTC: AAA/AUTHOR/EXEC: tty2 (945064986) user='*******'

Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): send AV service=shell

Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): send AV cmd*

Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): found list "default"

Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): Method=tacacs+ (tacacs+)

Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): user=*******

Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): send AV service=shell

Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): send AV cmd*

Jul 12 13:41:44.799 UTC: AAA/AUTHOR (945064986): Post authorization status = PASS_ADD

Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV service=shell

Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV cmd*

Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15

Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV shell:Admin=Admin

Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: received unknown mandatory AV: shell:Admin=Admin

Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Authorization FAILED

Jul 12 13:41:46.804 UTC: AAA/MEMORY: free_user (0x16E1F28) user='*******' ruser='NULL' port='tty2' rem_addr='*******' authen_type=AS

Any idea what's wrong ??

Best regards Dirk

I have this problem too.
0 votes
Correct Answer by Premdeep Banga about 9 years 4 months ago

Hi Dirk,

Any specific reason/requirement, that you have to configure attribute, shell:Admin=Admin ?

Apart from the device is rejecting it, as it is not able to understand it, and on top of that we have made it a mandatory attribute.

Try this,

shell:Admin*Admin

* -> Optional Attribute

Regards,

Prem

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Premdeep Banga Thu, 07/12/2007 - 15:30

Hi Dirk,

Any specific reason/requirement, that you have to configure attribute, shell:Admin=Admin ?

Apart from the device is rejecting it, as it is not able to understand it, and on top of that we have made it a mandatory attribute.

Try this,

shell:Admin*Admin

* -> Optional Attribute

Regards,

Prem

Actions

This Discussion