Custom attribute on group in ACS for ACE

Unanswered Question
Aug 21st, 2010

I am working setting up RBAC on my ACE-device. To give a user a specific role one use the Custom attribute "shell:<Context>*<Role> <Domain>".

The command is working if I define it directly on the user in adittion using Custom attribute directly. With that I meen not use a TACACS+ (Cisco IOS) -> "New Service" attached to the user.

Have anyone gotten this to work wither with (optional) or a "TACACS+ (Cisco IOS)-service". The same goes for both appliance and module.

Also, I am looking to get this working on a group. Not only on a user.

Thanks in advance for any help!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
chrhiggi Wed, 12/08/2010 - 16:52

Hello Ole Marius!

Take a look at the document I attached, it is a brief walkthrough on setting up TACACS+ (Cisco IOS) with ACE using either individual or groups.  You should not use, nor need the new service/optional configuration for this to work with ACE.


Chris Higgins

olemariuss Thu, 12/09/2010 - 00:08

Hi Christopher and thanks for the responce!

I have allready tried as you asked and do manage to log inn with the correct role using the Custom Attriute directly on the user. The problems I am facing  are generally two:

  1. I have experiences that setting a shell-command directly on a user, and not through a "New Service", can cause problems when logging in on other Cisco-devices using the same ACS-server and user (eg. the non-ACE will freeze/crash/etc.). An (optional)-tag or using "New Service" has solved this problem earlier. Will the * guarantee for this not to happen as it is said to make the command optional? The organization I am implementing this for has a wide range of Cisco-products. Testing each type at every SW-upgrade for this bug will be a enormous task.
  2. I can not make this work when applying the same shell-command to a User Group (I only get logged in as Network-Monitor). Have you gotten it to work using groups? In that case, which version of ACS and ACE are you using? The organization I am implementing this for is a large one. Managing each users one by one is not an option.


Ole M. Steinkjer

chrhiggi Thu, 12/09/2010 - 12:33

Using "*" in the custom attribute means that the device recieving those details should ignore it if it does not understand the input.  "=" forces the device to parse the input wether it understands it or not.  We only support specific products, so I can say for our other Content devices, "*" works just fine.  It "should" work with other Cisco devices assuming you don't hit bugs on those devices.

For the group, I have had it work in the past, but I will check again in my lab and get back to you with the settings/version information!


Chris Higgins


This Discussion

Related Content