I have recently opened a TAC case on an issue I'm having with authenticating user via TACACS on the ACE 4710.
The TAC engineer is telling me that for the authentication to work I need that same user to also have an account on the proper context (Admin context in this case). For example if I get a ACS account named netadmin, I will also need to create that account on the ACE 4710 (Kind of like MARS...).
Is this true?
From the past posts I have read it seems people have gotten this to work by using the following two steps:
A. Configure ACS properly
1. Select user
2. Scroll down to tacacs+ setting
3. check "shell(exec)" option
4. check "custom attributes"
5. Add the custom AV-Pair info in the following format:
6. Save / and then stop/start ACS services
B. Configure the ACE
tacacs-server host a.b.c.d key XXXXXX
aaa group server tacacs+ TACACS
aaa authentication login default group TACACS local
aaa authentication login console none
aaa accounting default group TACACS local
aaa authentication login error-enable
Are there people out there using this successfully without the ACS accounts needing to also be on the ACE?
Thanks in advance!
We have ACE Appliances working with ACS without having to create local accounts - and your process looks ok too (your ACE config is identical to mine).
Check out this thread for a similar issue: