Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

received unknown mandatory AV: shell:Admin=Admin default-domain

Hi,

in order to use TACACS+ login on our new ACE service modules we changed our ACS group settings for admins:

before

Shell (exec) - checked

Privilege level - checked: 15

afterwards:

Shell (exec) - checked

Privilege level - checked: 15

Custom attributes - checked:

shell:Admin=Admin default-domain

As soon as this is done, TACACS+ authentication on the ACE modules works fine, but we are not able to log into any other IOS box anymore.

Reason:

AAA/AUTHOR/EXEC: tty2 (2574833980) user='myaccount'

tty2 AAA/AUTHOR/EXEC (2574833980): send AV service=shell

tty2 AAA/AUTHOR/EXEC (2574833980): send AV cmd*

tty2 AAA/AUTHOR/EXEC (2574833980): found list "default"

tty2 AAA/AUTHOR/EXEC (2574833980): Method=tacacs+ (tacacs+)

AAA/AUTHOR/TAC+: (2574833980): user=myaccount

AAA/AUTHOR/TAC+: (2574833980): send AV service=shell

AAA/AUTHOR/TAC+: (2574833980): send AV cmd*

AAA/AUTHOR (2574833980): Post authorization status = PASS_ADD

AAA/AUTHOR/EXEC: Processing AV service=shell

AAA/AUTHOR/EXEC: Processing AV cmd*

AAA/AUTHOR/EXEC: Processing AV priv-lvl=15

AAA/AUTHOR/EXEC: Processing AV shell:Admin=Admin default-domain

AAA/AUTHOR/EXEC: received unknown mandatory AV: shell:Admin=Admin default-domain

AAA/AUTHOR/EXEC: Authorization FAILED

Is there a way I can log into a normal IOS box and an ACE module with one single TACACS+ account?

Regards,

Robert

1 REPLY
New Member

Re: received unknown mandatory AV: shell:Admin=Admin default-dom

I think I solved it:

ACS Server:

-->edit user or group

-->goto section 'Checking this option will PERMIT all UNKNOWN Services'

-->check the 'Default (Undefined) Services checkbox

It's even documented in the ACE security configuration guide.

798
Views
0
Helpful
1
Replies