Thanks Syed & Roble,

I will read the docos. It seems the Cisco Secure Attributes stated is for Windows based

Cisco Secure.

I have CS ACS Unix version.

I will try to see if I can get the RBAC setup on this.

Do you have any info on setting this on Cisco Secure ACS Unix?

Thanks

slal

try following in "tac_plus.conf" and let me know if it works. I havent tried it by myself yet.

user = root {

service = shell {

optional shell:Admin = "Admin default-domain"

}

service = exec {

optional shell:Admin = "Admin default-domain"

}

}

Thanks

Syed

Hi Syed,

I tried this. No success.

I can login but puts user=insutest in monitor mode.

Looks like bit more tweak on what you havwe told me Syed.

ACE-Admin/Admin# sh users

User Context Line Login Time (Location) Role Domain(s)

*admin Admin pts/0 Oct 16 12:36 (127.0.0.71) Admin default-domain

insutest Admin pts/1 Oct 16 12:33 (a.b.c.d) Network-Monitor default-domain

cheers

No success with TACACS+, I am trying with RADIUS.

"cisco-avpair=shell:Admin=Admin default-domain; "

Still having no luck...

sanjay

Still it dumps in :

"Network-Monitor default-domain"

Hi,

It did work as you suggested. I had to move user in [Root] as we have other Shell attributes in different groups.

ct 16 15:18:29 c1 CiscoSecure: [ID 428912 local0.debug] DEBUG -

Oct 16 15:18:29 c1 user = test2 {

Oct 16 15:18:29 c1 service = shell {

Oct 16 15:18:29 c1 set optional shell:Admin = "Admin Admin default-domain"

Oct 16 13:18:29 c1 }

Oct 16 13:18:29 c1 service = exec {

Oct 16 13:18:29 c1 set optional shell:Admin = "Admin Admin default-domain"

ACE-Admin/Admin# sh users

User Context Line Login Time (Location) Role Domain(s)

admin Admin pts/0 Oct 17 13:43 (127.0.0.71) Admin default-domain

*test2 Admin pts/1 Oct 17 14:07 (a.b.c.d) Admin default-domain

When I moved user in the support group with existing shell access configured, it dumps in network monitor mode. Maybe due to TACACS attribute inheritance. I did not want to stuff up existing support users.

So I guess my option is to use RADIUS as login method.

I am trying to get it going but the CS ACS Unix does not like :

cisco-avpair = "shell:Admin=Admin default-domain;

Oct 16 15:18:29 c1 radius = ACE_Admin_Pri {

Oct 16 15:18:29 c1 check_items = {

Oct 16 15:18:29 c1 200 = 1

Oct 16 15:18:29 c1 }

Oct 16 15:18:29 c1 reply_attributes = {

Oct 16 15:18:29 c1 26 = "cisco-avpair=shell:Admin=Admin default-domain; "

Oct 16 15:18:29 c1 6 = 6

Oct 16 15:18:29 c1 }

Oct 16 15:18:29 c1 }

Now I get :

[ID 901471 local0.warning] WARNING - RADIUS: Invalid attribute (1) in profile

Oct 17 15:49:41 c1 CiscoSecure: [ID 347837 local0.warning] WARNING - RADIUS: Authenticate: from (10.17.1.4) -

test2 failed

It would be good to see if anyone else has tried this.

sanjay

Hi,

Its working with radius within support group.

I used 11.3 dictionary on Cisco Secure ACS Unix.

ACE RADIUS Login setup

radius = ACE-Admin-Pri{

check_items = {

}

reply_attributes = {

9,1 = "shell:Admin=Admin default-domain"

}

}

Thanks for all the help

sanjay