10-14-2007 10:47 PM
Hi,
I have setup AAA tacacs+ on ACE Admin context with RSA token. This is similar to AAA IOS setup.
I can login but it does not allow me to do any commands.
"show users", under Domain says I am logged in as "
Network-Monitor default-domain".
Any ideas how to get around and making myself as Admin group?
Also is there any doco on setting AAA on ACE module using Cisco Secure For Unix ACS?
Thanks
Sanjay
Solved! Go to Solution.
10-15-2007 09:47 PM
Try this with tacacs+
user = xyz {
service = shell {
priv-lvl = 15
optional shell:Admin = "Admin default-domain"
} service = exec {
priv-lvl = 15
optional shell:Admin = "Admin default-domain"
}
}
Syed
10-15-2007 02:58 AM
Hi Sanjay,
have a look at following threads they already discussed authenticating via ACS/TACACS+ and the ACE blade.
Roble
10-15-2007 12:00 PM
You have to use a custom AV pair on TACACS server under user setup to make it work. ACE uses RBAC (role based Access Control) and for that you have to pass the context and User Role from Tacacs server to ACE to make it work.If there is no RBAC info is pushed from Tacacs server and user just get authenticated then the default role assigned by ACE is Network-Monitor.
Following steps (On tacacs server) will make it work
1. Select your user
2. goto tacas+ settings
3. Select " shell (exec)" checkbox
4. Select "custom attributes" checkbox
5. Type your context and role information in custom attrib box, using following format
shell:
for e.g (if context name is Admin, domain is default-domain and you want to assign role "Admin" to this user )
shell:Admin*Admin default-domain
Hope it helps
Syed
10-15-2007 04:07 PM
Thanks Syed & Roble,
I will read the docos. It seems the Cisco Secure Attributes stated is for Windows based
Cisco Secure.
I have CS ACS Unix version.
I will try to see if I can get the RBAC setup on this.
Do you have any info on setting this on Cisco Secure ACS Unix?
Thanks
slal
10-15-2007 04:29 PM
try following in "tac_plus.conf" and let me know if it works. I havent tried it by myself yet.
user = root {
service = shell {
optional shell:Admin = "Admin default-domain"
}
service = exec {
optional shell:Admin = "Admin default-domain"
}
}
Thanks
Syed
10-15-2007 06:49 PM
Hi Syed,
I tried this. No success.
I can login but puts user=insutest in monitor mode.
Looks like bit more tweak on what you havwe told me Syed.
ACE-Admin/Admin# sh users
User Context Line Login Time (Location) Role Domain(s)
*admin Admin pts/0 Oct 16 12:36 (127.0.0.71) Admin default-domain
insutest Admin pts/1 Oct 16 12:33 (a.b.c.d) Network-Monitor default-domain
cheers
10-15-2007 08:37 PM
No success with TACACS+, I am trying with RADIUS.
"cisco-avpair=shell:Admin=Admin default-domain; "
Still having no luck...
sanjay
10-15-2007 09:47 PM
Try this with tacacs+
user = xyz {
service = shell {
priv-lvl = 15
optional shell:Admin = "Admin default-domain"
} service = exec {
priv-lvl = 15
optional shell:Admin = "Admin default-domain"
}
}
Syed
10-15-2007 10:52 PM
Still it dumps in :
"Network-Monitor default-domain"
10-16-2007 11:49 PM
Hi,
It did work as you suggested. I had to move user in [Root] as we have other Shell attributes in different groups.
ct 16 15:18:29 c1 CiscoSecure: [ID 428912 local0.debug] DEBUG -
Oct 16 15:18:29 c1 user = test2 {
Oct 16 15:18:29 c1 service = shell {
Oct 16 15:18:29 c1 set optional shell:Admin = "Admin Admin default-domain"
Oct 16 13:18:29 c1 }
Oct 16 13:18:29 c1 service = exec {
Oct 16 13:18:29 c1 set optional shell:Admin = "Admin Admin default-domain"
ACE-Admin/Admin# sh users
User Context Line Login Time (Location) Role Domain(s)
admin Admin pts/0 Oct 17 13:43 (127.0.0.71) Admin default-domain
*test2 Admin pts/1 Oct 17 14:07 (a.b.c.d) Admin default-domain
When I moved user in the support group with existing shell access configured, it dumps in network monitor mode. Maybe due to TACACS attribute inheritance. I did not want to stuff up existing support users.
So I guess my option is to use RADIUS as login method.
I am trying to get it going but the CS ACS Unix does not like :
cisco-avpair = "shell:Admin=Admin default-domain;
Oct 16 15:18:29 c1 radius = ACE_Admin_Pri {
Oct 16 15:18:29 c1 check_items = {
Oct 16 15:18:29 c1 200 = 1
Oct 16 15:18:29 c1 }
Oct 16 15:18:29 c1 reply_attributes = {
Oct 16 15:18:29 c1 26 = "cisco-avpair=shell:Admin=Admin default-domain; "
Oct 16 15:18:29 c1 6 = 6
Oct 16 15:18:29 c1 }
Oct 16 15:18:29 c1 }
Now I get :
[ID 901471 local0.warning] WARNING - RADIUS: Invalid attribute (1) in profile
Oct 17 15:49:41 c1 CiscoSecure: [ID 347837 local0.warning] WARNING - RADIUS: Authenticate: from (10.17.1.4) -
test2 failed
It would be good to see if anyone else has tried this.
sanjay
10-17-2007 03:25 PM
Hi,
Its working with radius within support group.
I used 11.3 dictionary on Cisco Secure ACS Unix.
ACE RADIUS Login setup
radius = ACE-Admin-Pri{
check_items = {
}
reply_attributes = {
9,1 = "shell:Admin=Admin default-domain"
}
}
Thanks for all the help
sanjay
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: