10-23-2007 07:32 PM
I have a bit of a strange problem with authentication on my WAE boxes. I am using TACACS authentication for administrative access to the devices. (I didn't change the authentication on the WAAS box itself just in case I had any trouble) I am authenticating against a Cisco ACS appliance.
I have enabled both tacacs authentication and authorization on my WAEs. I can authenticate using my TACACS credentials. Unfortunately it puts me into "user" mode when I telnet or SSH in, not enable mode. It won't let me in via the web browser (seemingly no matter which credentials I use). If I use the enable command it prompts me for a password. I can then use the administrator password to get into enable mode.
All my other network devices are also using tacacs authentication and authorization. With that same account I can authenticate and get into enable mode using my tacacs credentials. My account has the shell(exec) box ticked in ACS and also is a member of a group that has a Max privilege of Level 15 and uses per-command authorization with all commands permitted.
Is there anything special that needs to be done to get the WAAS or WAE boxes to see my account as a level 15 account rather than requiring me to use the administrator password as well?
Thanks in advance,
Peter
Solved! Go to Solution.
10-24-2007 02:56 AM
Peter,
The account in ACS also needs to be configured with a 'Privilege level' (1 or 15) for the shell service under the TACACS+ Settings.
Note that authorization only applies to terminal (console, telnet, etc.) sessions. In order to access the WAE GUI interface using your TACACS credentials, you will need to create a user account in the CM under:
System > AAA > Users
Under the user account information, check the box titled 'WAE Device Manager User' and select an access mode.
Zach
10-24-2007 02:56 AM
Peter,
The account in ACS also needs to be configured with a 'Privilege level' (1 or 15) for the shell service under the TACACS+ Settings.
Note that authorization only applies to terminal (console, telnet, etc.) sessions. In order to access the WAE GUI interface using your TACACS credentials, you will need to create a user account in the CM under:
System > AAA > Users
Under the user account information, check the box titled 'WAE Device Manager User' and select an access mode.
Zach
10-25-2007 04:26 PM
Zach,
Thanks you sorted out my problem. I must say that AAA configuration / assigning roles for the GUI is extremely couter-intuitive.
Peter
12-10-2007 11:36 AM
Zach,
Is there a programatic way to create these user accounts and assign the appropriate permission level? We have over 300 users in our system and I don't want to enter each one manually.
Not to mention the day to day maintnance when people leave or join the company.
- Bill
12-10-2007 11:10 PM
Bill,
Currently authorization is still provided locally by CM. In a future release, we will support full AAA through an external entity, such as ACS. This will negate the need to manage local user accounts.
Zach
07-08-2008 04:52 PM
Hello
Will this be fixed in 4.1?
Thanks
07-08-2008 10:14 PM
Cameron,
The WAAS 4.1 release adds the ability to configure permissions in the Central Manager based on user groups, and then associate one or more groups with user accounts in an ACS server.
Zach
01-12-2009 09:02 AM
Just out of interest, has anybody got this functionality to work with user groups in 4.1? I am able to login to the CM, however, there are not privileges to do anything. I've setup the group "NSE" in CM to match TACACS (Cisco ACS) and gave that group admin privileges. I am able to telnet to the devices with admin privileges without a problem.
I've attached the syslogs from the CM of the test account logging in.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: