09-20-2010 10:46 AM
I'm perplexed. My "show crypto" command tree seems to have disappeared from my ACE.
I am running:
dc4pt-lb-01/tier1# sh ver
Cisco Application Control Software (ACSW)
<snip>
Software
loader: Version 12.2[120]
system: Version A2(1.6a) [build 3.0(0)A2(1.6a) adbuild_08:46:04-2009/10/16_/auto/adbu-rel4/rel_a2_1_6_throttle/REL_3_0_0_A2_1_6A]
system image file: [LCP] disk0:c6ace-t1k9-mz.A2_1_6a.bin
installed license: ACE-VIRT-020 ACE-SEC-LIC-K9
Hardware
Cisco ACE (slot: 6)
But when I went in to check my certificates, I get:
dc4pt-lb-01/tier1# show crypto
^
% invalid command detected at '^' marker.
This is strange. The same commands work fine on another ACE running the same level of software and logged in enable mode in the same context.
The certificates are installed and working - I can browse to the VIP and verify the installed certificate from my browser.
Solved! Go to Solution.
09-20-2010 12:20 PM
can you do a "show role" before you try "show crypto". In A2(1.2) and later you cannot do
show crytpo and show ft commands were disabled in network monitor role starting in A2(1.3).
09-20-2010 12:20 PM
can you do a "show role" before you try "show crypto". In A2(1.2) and later you cannot do
show crytpo and show ft commands were disabled in network monitor role starting in A2(1.3).
09-20-2010 12:59 PM
Ah, excellent catch. That's it. We recently enabled TACACS authentication on the non-working device and apparently we need to tweak the roles. I am only in as "Network Monitor":
dc4pt-lb-01/Admin# sh role
Role: Network-Monitor (System-defined)
Description: Monitoring for all features
Number of rules: 5
---------------------------------------------
Rule Type Permission Feature
---------------------------------------------
1. Permit Monitor all
2. Permit Monitor changeto
3. Deny Create exec-commands
4. Deny Create fault-tolerance
5. Deny Create pki
dc4pt-lb-01/Admin#
In my other devices I have all permissions:
dc4-lb-01/Admin# sh role
Role: Admin (System-defined)
Description: Administrator
Number of rules: 5
---------------------------------------------
Rule Type Permission Feature
---------------------------------------------
1. Permit Create all
2. Permit Create user access
3. Permit Create system
4. Permit Create changeto
5. Permit Create exec-commands
Role: Network-Admin (System-defined)
Description: Admin for L3 (IP and Routes) and L4 VIPs
Number of rules: 8
---------------------------------------------
Rule Type Permission Feature
---------------------------------------------
1. Permit Create interface
2. Permit Create routing
3. Permit Create connection
4. Permit Create nat
5. Permit Create vip
6. Permit Create config_copy
7. Permit Create changeto
8. Permit Create exec-commands
Role: Server-Maintenance (System-defined)
Description: Server maintenance, monitoring and debugging
Number of rules: 7
---------------------------------------------
Rule Type Permission Feature
---------------------------------------------
1. Permit Modify real
2. Permit Debug serverfarm
3. Permit Debug vip
4. Permit Debug probe
5. Permit Debug loadbalance
6. Permit Create changeto
7. Permit Create exec-commands
Role: Server-Appln-Maintenance (System-defined)
Description: Server maintenance and L7 policy application
Number of rules: 7
---------------------------------------------
Rule Type Permission Feature
---------------------------------------------
1. Permit Create real
2. Permit Create serverfarm
3. Permit Create loadbalance
4. Permit Create config_copy
5. Permit Create real-inservice
6. Permit Create exec-commands
7. Permit Create changeto
Role: SLB-Admin (System-defined)
Description: Administrator for all load-balancing features
Number of rules: 11
---------------------------------------------
Rule Type Permission Feature
---------------------------------------------
1. Permit Create real
2. Permit Create serverfarm
3. Permit Create vip
4. Permit Create probe
5. Permit Create loadbalance
6. Permit Create nat
7. Permit Modify interface
8. Permit Create config_copy
9. Permit Create exec-commands
10. Permit Create real-inservice
11. Permit Create changeto
Role: Security-Admin (System-defined)
Description: Administrator for all security features
Number of rules: 9
---------------------------------------------
Rule Type Permission Feature
---------------------------------------------
1. Permit Create access-list
2. Permit Create inspect
3. Permit Create connection
4. Permit Modify interface
5. Permit Create AAA
6. Permit Create nat
7. Permit Create config_copy
8. Permit Create changeto
9. Permit Create exec-commands
Role: SSL-Admin (System-defined)
Description: Administrator for all SSL features
Number of rules: 6
---------------------------------------------
Rule Type Permission Feature
---------------------------------------------
1. Permit Create ssl
2. Permit Create pki
3. Permit Modify interface
4. Permit Create config_copy
5. Permit Create changeto
6. Permit Create exec-commands
Role: Network-Monitor (System-defined)
Description: Monitoring for all features
Number of rules: 5
---------------------------------------------
Rule Type Permission Feature
---------------------------------------------
1. Permit Monitor all
2. Permit Monitor changeto
3. Deny Create exec-commands
4. Deny Create fault-tolerance
5. Deny Create pki
dc4-lb-01/Admin#
09-20-2010 02:21 PM
I confirmed the fix. On the TACACS server I needed to add the shell command custom attributes: "shell:Admin*Admin default-domain" on my TACACS server's user group properties. Restarting the server and then re-logging into my ACE now presents me with all the expected commands.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: