Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AAA command authorization in ACE

How do we enable AAA command authorization in the ACE module on 6500 switch.i dont find any aaa authorization commands in it .

Kind regards

Ullas

3 REPLIES
Silver

Re: AAA command authorization in ACE

Hi Ullas,

The ACE Security Configuration Guide has whole chapters on AAA, TACACS+, RADIUS, roles etc. See http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/security/guide/securgd.html

HTH

Kind Regards

Cathy

New Member

Re: AAA command authorization in ACE

HI cathy ...I refered the docs earlier too and i did the following config from that.

radius-server host 10.41.168.16 key XXXXXXXX

radius-server host 10.41.168.16 auth-port 1812

radius-server host 10.41.168.16 acct-port 1813

radius-server host 10.41.168.16 authentication

radius-server host 10.41.168.16 accounting

aaa group server radius RadiusServers

server 10.41.168.16

aaa authentication login console group RadiusServers local none

aaa accounting default group RadiusServers local

The issue i am facing is ...i cant login to the config mode.

Its not authorising me to do config commands.How do i specify the option not use Radius server for command authorisation.

Ullas

Silver

Re: AAA command authorization in ACE

Hi,

See the ACE Security Guide - Chapter 2. You need to set a CiscoAVPair. How you do this will depend on the RADIUS software that you are using. It sounds like you're being put into Network-Monitor role by default. Quote from the manual:

"The user profile attribute serves an important configuration function for a RADIUS server group. If the user profile attribute is not obtained from the server during authentication, or if the profile is obtained from the server but the context name(s) in the profile do not match the context in which the user is trying to log in, a default role (Network-Monitor) and a default domain (default-domain) are assigned to the user if the authentication is successful."

There are postings in this and other Cisco fora about exactly how to set these values (which depends on your RADIUS server implementation).

HTH

Cathy

844
Views
0
Helpful
3
Replies