Using AAA for WAAS

Unanswered Question
Mar 12th, 2009
User Badges:

We are trying to integrate WAAS with Cisco ACS server for having AAA functionality. Authentication works fine provided we create the user and map respective roles locally in the WAAS CM. Otherwise user is not allowed to login to the home page itself.

We need to know whether it is possible to use the authorization from ACS without creating the user & roles locally in WAAS.

Because it is added work to create all the users in WAAS also.

Please clarify.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gururajan Fri, 03/13/2009 - 02:35
User Badges:

I got the solution. Just wanted to update here,

In WAAS, Authorization privileges apply to console and Telnet connection attempts, secure FTP (SFTP) sessions, and Secure Shell (SSH, Version 1 and Version 2) sessions.

For Web GUI access, we must create users and map roles locally in WAAS. No other GO.



dstolt Fri, 03/13/2009 - 11:26
User Badges:
  • Cisco Employee,


Create users in the GUI with blank passwords and assign them to the roles you want them to have. Then the users will use external authorization to access the GUI.

See if that helps,


tj.mitchell Mon, 04/06/2009 - 07:00
User Badges:
  • Bronze, 100 points or more

You can have TACACS authenticate a user without the user being added locally on the box. The next idea is to what group to put that user in, this can be accomplished as well with out having to create users in WAAS. Your last post on finding the enable login on all the devices and such. But there is also way to map a user to a particular group that has access to only certain devices or can only report or what have you without creating each user on the box itself. This is possible, little cumbersome at first to get it setup, but once setup it can be done fairly quickly.

gururajan Mon, 04/06/2009 - 21:43
User Badges:

Thanks for your reply.

Can you provide me the configuration steps for doing this.

Thanks again,


tj.mitchell Tue, 04/07/2009 - 07:08
User Badges:
  • Bronze, 100 points or more

Let me see what I can do, it's a process. Basically, you can create the group on the WAE like you typically would, then assign the permissions to the group.

Now, once complete, go to your TACACS server, under TACACS services there should a tab for advanced configuration options. Then, once you show that, show customized TACACS attributes, check that off.

Then, define a group in TACACS and in put the custom WAAS Group attributes: Check off Shell (exec)

Check off custom attributes - put the following string in -- waas_rbac_groups=<>


Then either define a new user or assign a user to the new group created.

Test, should work fine.

g-hopkinson Mon, 06/15/2009 - 04:00
User Badges:


Does anyone know a solution for assigning roles within ACE using Radius?




This Discussion