AAA authentication on different Cisco Devices

Unanswered Question
Jul 19th, 2007


we use a tacacs Server ACS4.0 and have different networkdevices in our network, just like MDS 9000 ACE-Module and normal CatO and IOS devices.

Now I wanted to creat a group with users with are allowed to connect to all devices as admin.

But to connect to the ACE Module i need to insert the following lines to the ACE Custom attributes: shell:ANLOS*Admin,

and for the MDS 9000 pair*shell:roles="network-admin".

When I insert the commands allone the authentication on the devices works, but when I inser both commands, the authentication on the ACE Module failed.

Is it possible to insert both commands so that it works on all devices ??

Thanks very mutch


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rochopra Thu, 07/19/2007 - 09:26


This will be possible through Network Access Profiles.

Following link can give you more information on NAP:

As a pointer

You need to create 2 NAP's

One for ACE Module

Other for MDS 9000

In these you have to define Network Access Filters having ACE for ACE-NAP

and MDS for MDS-NAP

And for the NAP's you have to define the Radius Authorization components (attributes) to be send when the authentication happens from the devices referred in NAP.

(Both NAF and RAC can be defined in Shared Profile Components, if you cannot see them there enable them from Interface Configuration)

So now whenever the authentication will happen, ACS will look at the required NAP and for specific device send the required RAC attributes, So for ACE devices you will get only ACE attributes and for MDS you will only get MDS attributes.



darpotter Sun, 07/22/2007 - 23:01

Not sure that will work... NAP is for RADIUS only and device admin uses TACACS+

No, the way to do it is create an admins group plus a number of Shared Device Command sets (one for each device type).

In the command authorisation section of the group setup add mapping from the AAA Clients (either at device level or NDG) to the appropriate SPC.

This way an admin user is always in the admin group, but the command authorisation change depending on the device being managed.

et voila!

Device Command Sets are explained in this excellent White Paper:


This Discussion