Cisco ACE and ACS setup - why u need to telnet 1st before SSH?

Unanswered Question
Mar 16th, 2010

All,

Just been trying to set-up an ACE4700 to Auth to ACS Release 4.2(0) Build 124 Patch 9.

Issues i have are...

Seems that this bug is effecting my Authenicating with SSH

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsu36078&from=summary

The only way i can get an account to work is if i Telnet before i SSH to the ACE device? ANy help would be great as the ACE links stright into to a Firewall hence i'm gona find this hard to do for 40 odd users....

Also why does the CONF T only work if i use the following in the user account setup and not in the group. This will be a huge pain as i will have to amend all the accounts by hand one by one!????


shell:Admin*Admin default-domain

Many thanks in advance!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Javier Henderson Tue, 03/16/2010 - 09:18

Regarding your ACS question, the presence of any user specific attributes will make ACS ignore any group level attributes for that user. There is no way to combine attributes at both user and group levels.

Regarding bug CSCsu36078, what firmware version are you running on your ACE?

johngething Tue, 03/16/2010 - 09:32

Firmware =

Software
  loader:    Version 0.95.1
  system:    Version A3(2.0) [build 3.0(0)A3(2.0) adbuild_17:35:22-2008/10/01_/a
uto/adbu-rel4/rel_a3_2_0_dev_build/REL_3_0_0_A3_2_0]
  system image file: (hd0,1)/c4710ace-mz.A3_2_0.bin
  Device Manager version 1.1 (0) 20080805:0415

Regarding the groups - i have tested with this AV pair thing in either the group or user separately and it only works in user accounts - any chance of a way to get the group to work??

PS many thanks for a quick response!

Javier Henderson Tue, 03/16/2010 - 09:34

Are there any AV pairs defined for the user with which you are testing? If so, none of the group level AV pairs will be in effect.

johngething Tue, 03/16/2010 - 09:42

I have added them in twice while i was testing - i.e. 1st tried the group - this did not work, 2nd tried the user this worked. I did remove teh AV -pairs from each area before i continued.

Javier Henderson Tue, 03/16/2010 - 09:43

I understand, but besides the AV pairs for the ACE role, do you have any other AV pairs assigned to this user?

Javier Henderson Tue, 03/16/2010 - 09:55

You will then want to set the log level detail on ACS to full, reproduce the problem, and look at the auth.log and RDS.log files.

Actions

This Discussion