Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
741
Views
5
Helpful
4
Replies

ACE Appliance & AAA

Go to solution
k.liepold
Level 1
Level 1

‎06-24-2008 12:29 AM - edited ‎03-05-2019 11:47 PM

hi there,

we've 2 CISCO ACE-Appliance in use since a few weeks.

they should be able to work with tacacs+. but i've find no way to configure the ace with the tacacs+ login. so, loggin in is possible, but only in the role "Network-Monitor". so I can not configure. we need to login with the role "Admin".

We 're using CISCO-Secure for tacacs+ login.

can anyone help?

thanks, K. Liepold

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Syed Iftekhar Ahmed
Level 8
Level 8

‎06-24-2008 04:56 PM

On your Tacacs Server

1. Select user

2. Scroll down to tacacs+ setting

3. check "shell(exec)" option

4. check "custom attributes"

5. In the custom attributes window add the custom AV-Pair info in the following format:

shell:* default-domain

For example if you setting it for Admin context and Admin user then use the following

shell:Admin*Admin default-domain.

Just to let you know that

"Data Center" area is the right place to ask ACE related questions.

Thanks

Syed Iftekhar Ahmed

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Syed Iftekhar Ahmed
Level 8
Level 8

‎06-24-2008 04:56 PM

On your Tacacs Server

1. Select user

2. Scroll down to tacacs+ setting

3. check "shell(exec)" option

4. check "custom attributes"

5. In the custom attributes window add the custom AV-Pair info in the following format:

shell:* default-domain

For example if you setting it for Admin context and Admin user then use the following

shell:Admin*Admin default-domain.

Just to let you know that

"Data Center" area is the right place to ask ACE related questions.

Thanks

Syed Iftekhar Ahmed

0 Helpful

Go to solution
k.liepold
Level 1
Level 1
In response to Syed Iftekhar Ahmed

‎06-25-2008 05:54 AM

ok. data center. is saved in my brain ;-)

but:

it works!

1.000 thanks... :-)

k. liepold

0 Helpful

Go to solution
lanstreamer
Level 1
Level 1
In response to k.liepold

‎07-08-2008 11:30 AM

Many thanks for this tip also - it's better than the manual!

The ACE 4710 security guide says

shell:= ...

But when I tried that on a group in ACS, all my admins were unable to log in to IOS devices any more.

Replacing the = with * as you suggest causes that problem to go away.

If anyone from Cisco is lurking here, please can you get the guide changed? It's very dangerous advice if your admins also administer IOS devices.

0 Helpful

Go to solution
Syed Iftekhar Ahmed
Level 8
Level 8
In response to lanstreamer

‎07-08-2008 07:37 PM

Just to clarify why it worked with *

* represent optional attribute that can be ignored by a device where as = means mandatory

attrib. If an attrib is not supported by a device it will drop the auth request, by replacing = with * made the attrib optional for IOS devices (devices that donot understand these av-pairs sent by ACE)

Copied from TACACS draft

"The authorization arguments in both the REQUEST and the RESPONSE are

attribute-value pairs. The attribute and the value are in a single

ascii string and are separated by either a "=" (0X3D) or a "*"

(0X2A). The equals sign indicates a mandatory argument. The asterisk

indicates an optional one."

Syed Iftekhar Ahmed

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card