Integrate Cisco ACE into AAA TACACS+

Unanswered Question
Sep 11th, 2010
User Badges:

Dear Community!


I would like to configure Cisco ACE 4710 CLI and WebAmin to use ACS v4.2 TACACS+ authentication and accounting feature. After found a Cisco document, which describes ACE AAA features (http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/aaa.html), I have setup all configuration parameters mentioned in this document, everything seems to be OK.

But...

I have a TACACS+ group named "Network Administrators", which has privilege level 15 option enabled, so admins do not have to type enable password when authenticating. After setting up ACE AAA, the prvilege level 15 option stops working, while logging in Cisco routers: after authentication, the user remains in privilege level 1.

Logging in Cisco switches seems to be OK, stepping immediately to level 15 as usual.

I tried upgrading IOS in a router, but no luck...


Does anybody have any experiance about this "bug"?


Thanks in advance!


Regards,


Belabacsi

@ Budapest, Hungary

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (5 ratings)
Loading.
kuchma.stanislav Tue, 09/21/2010 - 02:33
User Badges:

Hello Bela

In ACE on every context (including Admin and other) you should have following strings:


tacacs-server host x.x.x.x key 7 "xxx"
tacacs-server host x.x.x.x key 7 "xxx"
aaa group server tacacs+ MYTACACS
  server x.x.x.x
  server x.x.x.x


aaa authentication login default group MYTACACS local
aaa authentication login console group MYTACACS local
aaa accounting default group x.x.x.x


On ACS side for group named "Network Administrators" you should configure in TACACS settting:

1. Shell (exec) enable

2. Privilege level 15

3. Custom attributes:

          shell:Admin*Admin default-domain

    if you have additional context add next line

          shell:mycontext*Admin default-domain


After loging to ACE and issuing sh users command you should see following


User            Context                                                                 Line     Login Time   (Location)        Role   Domain(s)   
*adm-x       Admin                                                                   pts/0   Sep 21 12:24  (x.x.x.x)    Admin   default-domain


Regards,

Stas

amaskell Fri, 11/25/2011 - 06:19
User Badges:

Hi Stas,

     Do you have any advice on setting up ACS 5.2

I tried creating a shell profile that has a custom attribute similar to above but couldn't get it working.


Thanks,


-Andrew

kuchma.stanislav Fri, 11/25/2011 - 07:47
User Badges:

Hello Andrew,

This settings are working in ACS 5.2. What do you have in ACS log? Are user authorized with less privileges or doesn't athorized at all?


Best Regards,

Stas

amaskell Fri, 12/02/2011 - 08:30
User Badges:

Hi Stas,

The user gets authenticated but only get Network-Monitor priviledge.... below is a screenshot of my Shell Profile with the attribute - this is where I think I am going wrong..... what do you think

kuchma.stanislav Fri, 12/02/2011 - 12:50
User Badges:

Hello Andrew,

     Could you please provide TACACS log from ACS and verify in log that correct SHELL PROFILE are choosen. Also - how many context do you have? In Monday I try to veify settings in ACS (today I don't have direct access to ACS & ACE - this devices are left on my previuos job)


Best Regards,

Stas

kuchma.stanislav Mon, 12/05/2011 - 00:25
User Badges:


In Attribute row you should write shell:Admin and in Value - Admin default-domain


Regards,

Stas

amaskell Thu, 12/15/2011 - 07:46
User Badges:

Hi Stas,

That worked a treat!!


Thanks for your effort

Actions

This Discussion

Related Content