10-10-2008 12:28 PM
ACE version Software
loader: Version 0.95
system: Version A1(7b) [build 3.0(0)A1(7b)
Cisco ACS version 4.0.1
I am trying to authenticate admin users with AAA authentication for ACE management.
This is what I've done:
ACE-lab/Admin(config)# tacacs-server host 192.168.3.10 key 123456 port 49
warning: numeric key will not be encrypted
ACE-lab/Admin(config)# aaa group server tacacs+ cciesec
ACE-lab/Admin(config-tacacs+)# server ?
<A.B.C.D> TACACS+ server name
ACE-lab/Admin(config-tacacs+)# server 192.168.3.10
can not find the TACACS+ server
specified TACACS+ server not found, please configure it using tacacs-server host ... and then retry
ACE-lab/Admin(config-tacacs+)#
Why am I getting this error? I have full
connectivity between the ACE and the ACS
server. Furthermore, the ACS server
works fine with other Cisco IOS devices.
Please help. Thanks.
10-12-2008 12:59 PM
Can any ACE gurus help me out here? Thanks.
10-12-2008 11:34 PM
the problem is the numeric key.
Change the key to something non-numeric.
Gilles.
10-13-2008 12:17 AM
BTW, I have created a new bug for this CSCsv04319 so we can make the error message more explicit or accept the key even if all numeric.
Not sure yet which we way we will go.
Thanks for reporting the problem.
Gilles.
10-13-2008 02:40 AM
Thanks. Now I have another problem. I CAN
log into the ACE via tacacs+ account(s).
However, I get error when I try going into
configuration mode:
ACE-lab login: ngx1
Password:
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2007 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
ACE-lab/Admin# conf t
^
% invalid command detected at '^' marker.
ACE-lab/Admin#
The ngx1 account can access other Cisco
routers/switches just fine and can go into
enable mode just fine. Only issue on the ACE.
Any ideas? Thanks.
10-13-2008 03:09 AM
ACE doesn't like the '=' in AV pair.
So you might have to do something like below to make sure you end up with the right role.
shell:Admin*Admin default-domain
instead of
shell:Admin=Admin default-domain
10-13-2008 03:24 AM
where do I find that in Cisco ACS? I am not
using any AV pair.
Why is ACE so different that Cisco IOS
routers or ASA? If I am not configuring
AAA authorization on the device, why should
it matter with shell Admin
I also setup the grop which ngx1 account in
Cisco ACS, by default, is permitted to use
ALL services but it is not working either.
10-13-2008 08:31 AM
Please read One of my old post on this topic.
It has answers to your questions.
Thanks
Syed Iftekhar Ahmed
10-13-2008 09:47 AM
Ok. This is what I did:
On your Tacacs Server
1. Select group that ngx1 user belongs to,
2. Scroll down to tacacs+ setting
3. check "shell(exec)" option
4. check "custom attributes"
5. In the custom attributes window add the custom AV-Pair info in the following format:
shell:Admin*Admin default-domain
restart ACS service.
Try to login again and same result.
Anyone know why?
10-13-2008 10:04 AM
Run the following command
show user-account
Within this command output what role do you see for the user you are logged in as.
Since its not working I suspect it would say
"Network Monitor" (default). If that is the
case then most likely cause is the Cisco AV-Pair information is not entered correctly.
Syed Iftekhar Ahmed
10-13-2008 10:50 AM
ACE-lab/Admin# sh user-account | b ngx1
user:ngx1
roles: Network-Monitor
domain: default-domain
Context: Admin
account created through REMOTE authentication
Local login not possible
ACE-lab/Admin#
Now how do I go about fixing it? I followed
the instructions you suggested steps by steps.
10-15-2008 04:29 AM
Can gurus in this forum help me resolve this
issue? Thank you.
10-15-2008 04:56 AM
if your ACS setup has the correct line
shell:Admin*Admin default-domain with the correct names (case sensitive) then it should work.
If everything looks good do
debug aaa aaa-req
debug aaa events
debug aaa error
Try to login and see what you get.
Gilles.
10-15-2008 05:35 AM
I can log in fine with the AAA credential but
I can NOT run any debug aaa commands:
ACE-lab login: ngx1
Password:
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2007 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
ACE-lab/Admin# conf t
^
% invalid command detected at '^' marker.
ACE-lab/Admin# debug aaa aaa-req
^
% invalid command detected at '^' marker.
ACE-lab/Admin#
10-15-2008 05:43 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: