AAA on ACE

Answered Question
Jul 15th, 2009

Dear experts,

I need to enable aaa authentication on Cisco ACE 4710 and unable to do that. Please help me with this.

Here is the config i have done on the ACE.

tacacs-server key 7 "[email protected]"

tacacs-server host 172.18.124.20 key 7 "[email protected]"

tacacs-server host 172.18.124.21 key 7 "[email protected]"

aaa group server tacacs+ TACACS+_Server_Group1

server 172.18.124.20

server 172.18.124.21

aaa authentication login default group TACACS+_Server_Group1 local

aaa authentication login error-enable

I added the entry for ACE in ACS but still its not authenticating.

Regards,

Akhil

I have this problem too.
0 votes
Correct Answer by Syed Iftekhar Ahmed about 7 years 4 months ago

You have to use a custom AV pair on TACACS server under user setup to make it work. ACE uses RBAC (role based Access Control) and for that you have to pass the context and User Role from Tacacs server to ACE to make it work.If there is no RBAC info is pushed from Tacacs server and user just get authenticated then the default role assigned by ACE is Network-Monitor.

Following steps (On tacacs server) will make it work

1. Select your user

2. goto tacas+ settings

3. Select " shell (exec)" checkbox

4. Select "custom attributes" checkbox

5. Type your context and role information in custom attrib box, using following format

shell:*

for e.g (if context name is Admin, domain is default-domain and you want to assign role "Admin" to this user )

shell:Admin*Admin default-domain

For more information

Please read One of my old post on this topic.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&topicID=.ee71a04&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cc10b80/3#selected_message

Hope it helps

Syed Iftekhar Ahmed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (2 ratings)
Loading.
dario.didio Wed, 07/15/2009 - 23:32

Hi,

Are the ACS IP Addresses reachable from your ACE?

Do you see failed attempts on your ACS?

Is your Tacacs server using port 49, which is used by the ACE by default?

HTH,

Dario

akhil.abrol Wed, 07/15/2009 - 23:35

Yes, ACS is reachable from all 4 ACEs. I specifically opened a policy in the firewall to check the traffic.

I cant see any failed attempts and yes the ACS server is using default port 49. i did a telnet test from ACE to ACS in 49 and it was successful.

Regards,

Akhil

mherald Thu, 07/16/2009 - 12:10

By not working, what do you mean? FOr example, does your username/password not work at all? Or the username/password does work but with limited privs?

If it is the second case, in the ACS, dont forget to add the TACACS+ Settings / Custom Attributes:

shell:Admin*Admin default-domain (for default).

Note - if you are doing IOS authorization on any other device which this user is a part of, ensure the "*" is there or you may get the ACE AAA functional, but now IOS devices will give you fits.

akhil.abrol Thu, 07/16/2009 - 22:41

Yes, its the second case.

I can login with my AAA credentials but not previleged.

Please clear this a little more.

If it is the second case, in the ACS, dont forget to add the TACACS+ Settings / Custom Attributes:

shell:Admin*Admin default-domain (for default).

In Tacacs+ settings, where do i have make thses changes?

Regards,

Akhil

Correct Answer
Syed Iftekhar Ahmed Thu, 07/16/2009 - 23:52

You have to use a custom AV pair on TACACS server under user setup to make it work. ACE uses RBAC (role based Access Control) and for that you have to pass the context and User Role from Tacacs server to ACE to make it work.If there is no RBAC info is pushed from Tacacs server and user just get authenticated then the default role assigned by ACE is Network-Monitor.

Following steps (On tacacs server) will make it work

1. Select your user

2. goto tacas+ settings

3. Select " shell (exec)" checkbox

4. Select "custom attributes" checkbox

5. Type your context and role information in custom attrib box, using following format

shell:*

for e.g (if context name is Admin, domain is default-domain and you want to assign role "Admin" to this user )

shell:Admin*Admin default-domain

For more information

Please read One of my old post on this topic.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&topicID=.ee71a04&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cc10b80/3#selected_message

Hope it helps

Syed Iftekhar Ahmed

akhil.abrol Fri, 07/17/2009 - 00:24

Thats why i wrote dear "Experts" :) :) :) :)

Actually the custom attributes option was not enabled in the interface configuration. So i searched it and checked it there..

Thanks for the help. :)

Akhil

akhil.abrol Fri, 07/17/2009 - 23:42

Hi,

After doing the changes, i cannot loging to my other network devices. Is there a way out for this or I need to create a seperate ID for ACE.?

--

Akhil

Actions

This Discussion