cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1484
Views
10
Helpful
7
Replies

WAE, TACACS and ACS

pthaynes
Level 1
Level 1

I have a bit of a strange problem with authentication on my WAE boxes. I am using TACACS authentication for administrative access to the devices. (I didn't change the authentication on the WAAS box itself just in case I had any trouble) I am authenticating against a Cisco ACS appliance.

I have enabled both tacacs authentication and authorization on my WAEs. I can authenticate using my TACACS credentials. Unfortunately it puts me into "user" mode when I telnet or SSH in, not enable mode. It won't let me in via the web browser (seemingly no matter which credentials I use). If I use the enable command it prompts me for a password. I can then use the administrator password to get into enable mode.

All my other network devices are also using tacacs authentication and authorization. With that same account I can authenticate and get into enable mode using my tacacs credentials. My account has the shell(exec) box ticked in ACS and also is a member of a group that has a Max privilege of Level 15 and uses per-command authorization with all commands permitted.

Is there anything special that needs to be done to get the WAAS or WAE boxes to see my account as a level 15 account rather than requiring me to use the administrator password as well?

Thanks in advance,

Peter

1 Accepted Solution

Accepted Solutions

Zach Seils
Level 7
Level 7

Peter,

The account in ACS also needs to be configured with a 'Privilege level' (1 or 15) for the shell service under the TACACS+ Settings.

Note that authorization only applies to terminal (console, telnet, etc.) sessions. In order to access the WAE GUI interface using your TACACS credentials, you will need to create a user account in the CM under:

System > AAA > Users

Under the user account information, check the box titled 'WAE Device Manager User' and select an access mode.

Zach

View solution in original post

7 Replies 7

Zach Seils
Level 7
Level 7

Peter,

The account in ACS also needs to be configured with a 'Privilege level' (1 or 15) for the shell service under the TACACS+ Settings.

Note that authorization only applies to terminal (console, telnet, etc.) sessions. In order to access the WAE GUI interface using your TACACS credentials, you will need to create a user account in the CM under:

System > AAA > Users

Under the user account information, check the box titled 'WAE Device Manager User' and select an access mode.

Zach

Zach,

Thanks you sorted out my problem. I must say that AAA configuration / assigning roles for the GUI is extremely couter-intuitive.

Peter

Zach,

Is there a programatic way to create these user accounts and assign the appropriate permission level? We have over 300 users in our system and I don't want to enter each one manually.

Not to mention the day to day maintnance when people leave or join the company.

- Bill

Bill,

Currently authorization is still provided locally by CM. In a future release, we will support full AAA through an external entity, such as ACS. This will negate the need to manage local user accounts.

Zach

Hello

Will this be fixed in 4.1?

Thanks

Cameron,

The WAAS 4.1 release adds the ability to configure permissions in the Central Manager based on user groups, and then associate one or more groups with user accounts in an ACS server.

Zach

Just out of interest, has anybody got this functionality to work with user groups in 4.1? I am able to login to the CM, however, there are not privileges to do anything. I've setup the group "NSE" in CM to match TACACS (Cisco ACS) and gave that group admin privileges. I am able to telnet to the devices with admin privileges without a problem.

I've attached the syslogs from the CM of the test account logging in.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: