Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Integrate Cisco ACE into AAA TACACS+

Dear Community!

I would like to configure Cisco ACE 4710 CLI and WebAmin to use ACS v4.2 TACACS+ authentication and accounting feature. After found a Cisco document, which describes ACE AAA features (http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/aaa.html), I have setup all configuration parameters mentioned in this document, everything seems to be OK.

But...

I have a TACACS+ group named "Network Administrators", which has privilege level 15 option enabled, so admins do not have to type enable password when authenticating. After setting up ACE AAA, the prvilege level 15 option stops working, while logging in Cisco routers: after authentication, the user remains in privilege level 1.

Logging in Cisco switches seems to be OK, stepping immediately to level 15 as usual.

I tried upgrading IOS in a router, but no luck...

Does anybody have any experiance about this "bug"?

Thanks in advance!

Regards,

Belabacsi

@ Budapest, Hungary

Everyone's tags (5)
8 REPLIES
New Member

Re: Integrate Cisco ACE into AAA TACACS+

Hello Bela

In ACE on every context (including Admin and other) you should have following strings:

tacacs-server host x.x.x.x key 7 "xxx"
tacacs-server host x.x.x.x key 7 "xxx"
aaa group server tacacs+ MYTACACS
  server x.x.x.x
  server x.x.x.x

aaa authentication login default group MYTACACS local
aaa authentication login console group MYTACACS local
aaa accounting default group x.x.x.x

On ACS side for group named "Network Administrators" you should configure in TACACS settting:

1. Shell (exec) enable

2. Privilege level 15

3. Custom attributes:

          shell:Admin*Admin default-domain

    if you have additional context add next line

          shell:mycontext*Admin default-domain

After loging to ACE and issuing sh users command you should see following

User            Context                                                                 Line     Login Time   (Location)        Role   Domain(s)   
*adm-x       Admin                                                                   pts/0   Sep 21 12:24  (x.x.x.x)    Admin   default-domain

Regards,

Stas

New Member

Integrate Cisco ACE into AAA TACACS+

Hi Stas,

     Do you have any advice on setting up ACS 5.2

I tried creating a shell profile that has a custom attribute similar to above but couldn't get it working.

Thanks,

-Andrew

New Member

Integrate Cisco ACE into AAA TACACS+

Hello Andrew,

This settings are working in ACS 5.2. What do you have in ACS log? Are user authorized with less privileges or doesn't athorized at all?

Best Regards,

Stas

New Member

Integrate Cisco ACE into AAA TACACS+

Hi Stas,

The user gets authenticated but only get Network-Monitor priviledge.... below is a screenshot of my Shell Profile with the attribute - this is where I think I am going wrong..... what do you think

New Member

Integrate Cisco ACE into AAA TACACS+

Hello Andrew,

     Could you please provide TACACS log from ACS and verify in log that correct SHELL PROFILE are choosen. Also - how many context do you have? In Monday I try to veify settings in ACS (today I don't have direct access to ACS & ACE - this devices are left on my previuos job)

Best Regards,

Stas

New Member

Re: Integrate Cisco ACE into AAA TACACS+

In Attribute row you should write shell:Admin and in Value - Admin default-domain

Regards,

Stas

New Member

Re: Integrate Cisco ACE into AAA TACACS+

Hi Stas,

That worked a treat!!

Thanks for your effort

New Member

Re: Integrate Cisco ACE into AAA TACACS+

Hello Andrew

Nice to hear this.

Best Regards,

Stas

13001
Views
24
Helpful
8
Replies