Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS 4.0 AAA TACACS Juniper attribute length reached

We're using Cisco ACS 4.0 to "AAA" our users on both, Cisco routers and switches and Juniper devices. TACACS+'s working fine so far, but is causing some trouble with the configuration for Juniper devices.

To use TACACS+ with Juniper devices we made the following changes:

In "System Configuration" -> "TACACS+ (Cisco IOS)" we add a "New Service" in user and group called "junos-exec". We put the following attributes to "junos-exec" by editing the new service in group settings under "TACACS+ Settings":

local-user-name=read-network

allow-commands=(show route protocol direct)|(show in.)|ping|exit|quit|(show arp)|(show ve.)|(show ch.)|(show system up.)

deny-commands="^."

This works fine.

But if we add more commands to "allow-commands" the character-limit seems to be reached.

The TCS-Log (<prog-path>\CiscoSecure ACS v4.0\CSTacacs\Logs) shows:

TCS 18/12/2006 15:42:49 I 0040 0216 arg[0] size=28 =local-user-name=read-network

TCS 18/12/2006 15:42:49 I 0040 0216 arg[1] size=160 =allow-commands=(show route protocol direct)|(show system up.)|(show in.)|ping|exit|quit|(show arp)|(show ve.)|(show ch.)|(show ldp)|(show mpls)|(show route bgp)

TCS 18/12/2006 15:42:49 I 0040 0216 arg[2] size=18 =deny-commands="^."

How can we increase the character-limit from 160 to anything else, e.g. 3000?

276
Views
0
Helpful
0
Replies