WAE, TACACS and ACS

Answered Question
Oct 23rd, 2007

I have a bit of a strange problem with authentication on my WAE boxes. I am using TACACS authentication for administrative access to the devices. (I didn't change the authentication on the WAAS box itself just in case I had any trouble) I am authenticating against a Cisco ACS appliance.


I have enabled both tacacs authentication and authorization on my WAEs. I can authenticate using my TACACS credentials. Unfortunately it puts me into "user" mode when I telnet or SSH in, not enable mode. It won't let me in via the web browser (seemingly no matter which credentials I use). If I use the enable command it prompts me for a password. I can then use the administrator password to get into enable mode.


All my other network devices are also using tacacs authentication and authorization. With that same account I can authenticate and get into enable mode using my tacacs credentials. My account has the shell(exec) box ticked in ACS and also is a member of a group that has a Max privilege of Level 15 and uses per-command authorization with all commands permitted.


Is there anything special that needs to be done to get the WAAS or WAE boxes to see my account as a level 15 account rather than requiring me to use the administrator password as well?


Thanks in advance,


Peter

Correct Answer by Zach Seils about 9 years 4 months ago

Peter,


The account in ACS also needs to be configured with a 'Privilege level' (1 or 15) for the shell service under the TACACS+ Settings.


Note that authorization only applies to terminal (console, telnet, etc.) sessions. In order to access the WAE GUI interface using your TACACS credentials, you will need to create a user account in the CM under:


System > AAA > Users


Under the user account information, check the box titled 'WAE Device Manager User' and select an access mode.


Zach



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Zach Seils Wed, 10/24/2007 - 02:56

Peter,


The account in ACS also needs to be configured with a 'Privilege level' (1 or 15) for the shell service under the TACACS+ Settings.


Note that authorization only applies to terminal (console, telnet, etc.) sessions. In order to access the WAE GUI interface using your TACACS credentials, you will need to create a user account in the CM under:


System > AAA > Users


Under the user account information, check the box titled 'WAE Device Manager User' and select an access mode.


Zach



pthaynes Thu, 10/25/2007 - 16:26

Zach,


Thanks you sorted out my problem. I must say that AAA configuration / assigning roles for the GUI is extremely couter-intuitive.


Peter

Zach Seils Mon, 12/10/2007 - 23:10

Bill,


Currently authorization is still provided locally by CM. In a future release, we will support full AAA through an external entity, such as ACS. This will negate the need to manage local user accounts.


Zach



Zach Seils Tue, 07/08/2008 - 22:14

Cameron,


The WAAS 4.1 release adds the ability to configure permissions in the Central Manager based on user groups, and then associate one or more groups with user accounts in an ACS server.


Zach



Patrick Murphy Mon, 01/12/2009 - 09:02

Just out of interest, has anybody got this functionality to work with user groups in 4.1? I am able to login to the CM, however, there are not privileges to do anything. I've setup the group "NSE" in CM to match TACACS (Cisco ACS) and gave that group admin privileges. I am able to telnet to the devices with admin privileges without a problem.


I've attached the syslogs from the CM of the test account logging in.




Attachment: 

Actions

This Discussion