Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACE and AAA (TACACS+)

Hi there,

i have configuerd my acs with an custom attribute : shell:Admin=Admin. AAA with the ACE works fine... But now i can't login into my switches :-( i got the massage authorization failed. Here is the aaa debug from the switch :

Jul 12 13:41:38.433 UTC: AAA: parse name=tty2 idb type=-1 tty=-1

Jul 12 13:41:38.441 UTC: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0

Jul 12 13:41:38.441 UTC: AAA/MEMORY: create_user (0x16E1F28) user='NULL' ruser='NULL' ds0=0 port='tty2' rem_addr='*******' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)

Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): Port='tty2' list='' service=EXEC

Jul 12 13:41:44.590 UTC: AAA/AUTHOR/EXEC: tty2 (945064986) user='*******'

Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): send AV service=shell

Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): send AV cmd*

Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): found list "default"

Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): Method=tacacs+ (tacacs+)

Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): user=*******

Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): send AV service=shell

Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): send AV cmd*

Jul 12 13:41:44.799 UTC: AAA/AUTHOR (945064986): Post authorization status = PASS_ADD

Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV service=shell

Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV cmd*

Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15

Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV shell:Admin=Admin

Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: received unknown mandatory AV: shell:Admin=Admin

Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Authorization FAILED

Jul 12 13:41:46.804 UTC: AAA/MEMORY: free_user (0x16E1F28) user='*******' ruser='NULL' port='tty2' rem_addr='*******' authen_type=AS

Any idea what's wrong ??

Best regards Dirk

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ACE and AAA (TACACS+)

Hi Dirk,

Any specific reason/requirement, that you have to configure attribute, shell:Admin=Admin ?

Apart from the device is rejecting it, as it is not able to understand it, and on top of that we have made it a mandatory attribute.

Try this,

shell:Admin*Admin

* -> Optional Attribute

Regards,

Prem

3 REPLIES

Re: ACE and AAA (TACACS+)

Hi Dirk,

Any specific reason/requirement, that you have to configure attribute, shell:Admin=Admin ?

Apart from the device is rejecting it, as it is not able to understand it, and on top of that we have made it a mandatory attribute.

Try this,

shell:Admin*Admin

* -> Optional Attribute

Regards,

Prem

New Member

Re: ACE and AAA (TACACS+)

Hi Prem,

thanks a lot. it's working now...

FYI i need this attribute for role mapping USER<>ROLE in the ACE.

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_guide_chapter09186a0080686bbb.html#wp1519045

Can you give me a link where i found the information you gave me.

Best regards

Dirk

Re: ACE and AAA (TACACS+)

Nevermind....

Try, shell:Admin*Admin

Regards,

Prem

228
Views
10
Helpful
3
Replies
CreatePlease login to create content