ACE - Setup AAA TACACS+ using CS Unix ACS

Answered Question
Oct 14th, 2007

Hi,

I have setup AAA tacacs+ on ACE Admin context with RSA token. This is similar to AAA IOS setup.

I can login but it does not allow me to do any commands.

"show users", under Domain says I am logged in as "

Network-Monitor default-domain".

Any ideas how to get around and making myself as Admin group?

Also is there any doco on setting AAA on ACE module using Cisco Secure For Unix ACS?

Thanks

Sanjay

I have this problem too.
0 votes
Correct Answer by Syed Iftekhar Ahmed about 9 years 1 month ago

Try this with tacacs+

user = xyz {

service = shell {

priv-lvl = 15

optional shell:Admin = "Admin default-domain"

} service = exec {

priv-lvl = 15

optional shell:Admin = "Admin default-domain"

}

}

Syed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Syed Iftekhar Ahmed Mon, 10/15/2007 - 12:00

You have to use a custom AV pair on TACACS server under user setup to make it work. ACE uses RBAC (role based Access Control) and for that you have to pass the context and User Role from Tacacs server to ACE to make it work.If there is no RBAC info is pushed from Tacacs server and user just get authenticated then the default role assigned by ACE is Network-Monitor.

Following steps (On tacacs server) will make it work

1. Select your user

2. goto tacas+ settings

3. Select " shell (exec)" checkbox

4. Select "custom attributes" checkbox

5. Type your context and role information in custom attrib box, using following format

shell:*

for e.g (if context name is Admin, domain is default-domain and you want to assign role "Admin" to this user )

shell:Admin*Admin default-domain

Hope it helps

Syed

slal Mon, 10/15/2007 - 16:07

Thanks Syed & Roble,

I will read the docos. It seems the Cisco Secure Attributes stated is for Windows based

Cisco Secure.

I have CS ACS Unix version.

I will try to see if I can get the RBAC setup on this.

Do you have any info on setting this on Cisco Secure ACS Unix?

Thanks

slal

Syed Iftekhar Ahmed Mon, 10/15/2007 - 16:29

try following in "tac_plus.conf" and let me know if it works. I havent tried it by myself yet.

user = root {

service = shell {

optional shell:Admin = "Admin default-domain"

}

service = exec {

optional shell:Admin = "Admin default-domain"

}

}

Thanks

Syed

slal Mon, 10/15/2007 - 18:49

Hi Syed,

I tried this. No success.

I can login but puts user=insutest in monitor mode.

Looks like bit more tweak on what you havwe told me Syed.

ACE-Admin/Admin# sh users

User Context Line Login Time (Location) Role Domain(s)

*admin Admin pts/0 Oct 16 12:36 (127.0.0.71) Admin default-domain

insutest Admin pts/1 Oct 16 12:33 (a.b.c.d) Network-Monitor default-domain

cheers

slal Mon, 10/15/2007 - 20:37

No success with TACACS+, I am trying with RADIUS.

"cisco-avpair=shell:Admin=Admin default-domain; "

Still having no luck...

sanjay

Correct Answer
Syed Iftekhar Ahmed Mon, 10/15/2007 - 21:47

Try this with tacacs+

user = xyz {

service = shell {

priv-lvl = 15

optional shell:Admin = "Admin default-domain"

} service = exec {

priv-lvl = 15

optional shell:Admin = "Admin default-domain"

}

}

Syed

slal Mon, 10/15/2007 - 22:52

Still it dumps in :

"Network-Monitor default-domain"

slal Tue, 10/16/2007 - 23:49

Hi,

It did work as you suggested. I had to move user in [Root] as we have other Shell attributes in different groups.

ct 16 15:18:29 c1 CiscoSecure: [ID 428912 local0.debug] DEBUG -

Oct 16 15:18:29 c1 user = test2 {

Oct 16 15:18:29 c1 service = shell {

Oct 16 15:18:29 c1 set optional shell:Admin = "Admin Admin default-domain"

Oct 16 13:18:29 c1 }

Oct 16 13:18:29 c1 service = exec {

Oct 16 13:18:29 c1 set optional shell:Admin = "Admin Admin default-domain"

ACE-Admin/Admin# sh users

User Context Line Login Time (Location) Role Domain(s)

admin Admin pts/0 Oct 17 13:43 (127.0.0.71) Admin default-domain

*test2 Admin pts/1 Oct 17 14:07 (a.b.c.d) Admin default-domain

When I moved user in the support group with existing shell access configured, it dumps in network monitor mode. Maybe due to TACACS attribute inheritance. I did not want to stuff up existing support users.

So I guess my option is to use RADIUS as login method.

I am trying to get it going but the CS ACS Unix does not like :

cisco-avpair = "shell:Admin=Admin default-domain;

Oct 16 15:18:29 c1 radius = ACE_Admin_Pri {

Oct 16 15:18:29 c1 check_items = {

Oct 16 15:18:29 c1 200 = 1

Oct 16 15:18:29 c1 }

Oct 16 15:18:29 c1 reply_attributes = {

Oct 16 15:18:29 c1 26 = "cisco-avpair=shell:Admin=Admin default-domain; "

Oct 16 15:18:29 c1 6 = 6

Oct 16 15:18:29 c1 }

Oct 16 15:18:29 c1 }

Now I get :

[ID 901471 local0.warning] WARNING - RADIUS: Invalid attribute (1) in profile

Oct 17 15:49:41 c1 CiscoSecure: [ID 347837 local0.warning] WARNING - RADIUS: Authenticate: from (10.17.1.4) -

test2 failed

It would be good to see if anyone else has tried this.

sanjay

slal Wed, 10/17/2007 - 15:25

Hi,

Its working with radius within support group.

I used 11.3 dictionary on Cisco Secure ACS Unix.

ACE RADIUS Login setup

radius = ACE-Admin-Pri{

check_items = {

}

reply_attributes = {

9,1 = "shell:Admin=Admin default-domain"

}

}

Thanks for all the help

sanjay

Actions

This Discussion