Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1499
Views
0
Helpful
3
Replies

Custom attribute on group in ACS for ACE

olemariuss
Level 1
Level 1

‎08-21-2010 06:16 AM

I am working setting up RBAC on my ACE-device. To give a user a specific role one use the Custom attribute "shell:<Context>*<Role> <Domain>".

The command is working if I define it directly on the user in adittion using Custom attribute directly. With that I meen not use a TACACS+ (Cisco IOS) -> "New Service" attached to the user.

Have anyone gotten this to work wither with (optional) or a "TACACS+ (Cisco IOS)-service". The same goes for both appliance and module.

Also, I am looking to get this working on a group. Not only on a user.

Thanks in advance for any help!

Labels:
0 Helpful
3 Replies 3

chrhiggi
Level 3
Level 3

‎12-08-2010 04:52 PM

Hello Ole Marius!

Take a look at the document I attached, it is a brief walkthrough on setting up TACACS+ (Cisco IOS) with ACE using either individual or groups.  You should not use, nor need the new service/optional configuration for this to work with ACE.

Regards,

Chris Higgins

Preview file
1809 KB
0 Helpful

olemariuss
Level 1
Level 1
In response to chrhiggi

‎12-09-2010 12:08 AM

Hi Christopher and thanks for the responce!

I have allready tried as you asked and do manage to log inn with the correct role using the Custom Attriute directly on the user. The problems I am facing  are generally two:

  1. I have experiences that setting a shell-command directly on a user, and not through a "New Service", can cause problems when logging in on other Cisco-devices using the same ACS-server and user (eg. the non-ACE will freeze/crash/etc.). An (optional)-tag or using "New Service" has solved this problem earlier. Will the * guarantee for this not to happen as it is said to make the command optional? The organization I am implementing this for has a wide range of Cisco-products. Testing each type at every SW-upgrade for this bug will be a enormous task.
  2. I can not make this work when applying the same shell-command to a User Group (I only get logged in as Network-Monitor). Have you gotten it to work using groups? In that case, which version of ACS and ACE are you using? The organization I am implementing this for is a large one. Managing each users one by one is not an option.

regards,

Ole M. Steinkjer

0 Helpful

chrhiggi
Level 3
Level 3
In response to olemariuss

‎12-09-2010 12:33 PM

Using "*" in the custom attribute means that the device recieving those details should ignore it if it does not understand the input.  "=" forces the device to parse the input wether it understands it or not.  We only support specific products, so I can say for our other Content devices, "*" works just fine.  It "should" work with other Cisco devices assuming you don't hit bugs on those devices.

For the group, I have had it work in the past, but I will check again in my lab and get back to you with the settings/version information!

Regards,

Chris Higgins

0 Helpful
Customers Also Viewed These Support Documents