Integrate Cisco ACE into AAA TACACS+

Unanswered Question
Sep 11th, 2010

Dear Community!

I would like to configure Cisco ACE 4710 CLI and WebAmin to use ACS v4.2 TACACS+ authentication and accounting feature. After found a Cisco document, which describes ACE AAA features (, I have setup all configuration parameters mentioned in this document, everything seems to be OK.


I have a TACACS+ group named "Network Administrators", which has privilege level 15 option enabled, so admins do not have to type enable password when authenticating. After setting up ACE AAA, the prvilege level 15 option stops working, while logging in Cisco routers: after authentication, the user remains in privilege level 1.

Logging in Cisco switches seems to be OK, stepping immediately to level 15 as usual.

I tried upgrading IOS in a router, but no luck...

Does anybody have any experiance about this "bug"?

Thanks in advance!



@ Budapest, Hungary

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (4 ratings)
kuchma.stanislav Tue, 09/21/2010 - 02:33

Hello Bela

In ACE on every context (including Admin and other) you should have following strings:

tacacs-server host x.x.x.x key 7 "xxx"
tacacs-server host x.x.x.x key 7 "xxx"
aaa group server tacacs+ MYTACACS
  server x.x.x.x
  server x.x.x.x

aaa authentication login default group MYTACACS local
aaa authentication login console group MYTACACS local
aaa accounting default group x.x.x.x

On ACS side for group named "Network Administrators" you should configure in TACACS settting:

1. Shell (exec) enable

2. Privilege level 15

3. Custom attributes:

          shell:Admin*Admin default-domain

    if you have additional context add next line

          shell:mycontext*Admin default-domain

After loging to ACE and issuing sh users command you should see following

User            Context                                                                 Line     Login Time   (Location)        Role   Domain(s)   
*adm-x       Admin                                                                   pts/0   Sep 21 12:24  (x.x.x.x)    Admin   default-domain



amaskell Fri, 11/25/2011 - 06:19

Hi Stas,

     Do you have any advice on setting up ACS 5.2

I tried creating a shell profile that has a custom attribute similar to above but couldn't get it working.



kuchma.stanislav Fri, 11/25/2011 - 07:47

Hello Andrew,

This settings are working in ACS 5.2. What do you have in ACS log? Are user authorized with less privileges or doesn't athorized at all?

Best Regards,


amaskell Fri, 12/02/2011 - 08:30

Hi Stas,

The user gets authenticated but only get Network-Monitor priviledge.... below is a screenshot of my Shell Profile with the attribute - this is where I think I am going wrong..... what do you think

kuchma.stanislav Fri, 12/02/2011 - 12:50

Hello Andrew,

     Could you please provide TACACS log from ACS and verify in log that correct SHELL PROFILE are choosen. Also - how many context do you have? In Monday I try to veify settings in ACS (today I don't have direct access to ACS & ACE - this devices are left on my previuos job)

Best Regards,


kuchma.stanislav Mon, 12/05/2011 - 00:25

In Attribute row you should write shell:Admin and in Value - Admin default-domain




This Discussion

Related Content