Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2528
Views
0
Helpful
20
Replies

ACE 4700 and Cisco ACS aaa authentication

cisco24x7
Level 6
Level 6

‎10-10-2008 12:28 PM

ACE version Software

loader: Version 0.95

system: Version A1(7b) [build 3.0(0)A1(7b)

Cisco ACS version 4.0.1

I am trying to authenticate admin users with AAA authentication for ACE management.

This is what I've done:

ACE-lab/Admin(config)# tacacs-server host 192.168.3.10 key 123456 port 49

warning: numeric key will not be encrypted

ACE-lab/Admin(config)# aaa group server tacacs+ cciesec

ACE-lab/Admin(config-tacacs+)# server ?

<A.B.C.D> TACACS+ server name

ACE-lab/Admin(config-tacacs+)# server 192.168.3.10

can not find the TACACS+ server

specified TACACS+ server not found, please configure it using tacacs-server host ... and then retry

ACE-lab/Admin(config-tacacs+)#

Why am I getting this error? I have full

connectivity between the ACE and the ACS

server. Furthermore, the ACS server

works fine with other Cisco IOS devices.

Please help. Thanks.

Labels:
0 Helpful
20 Replies 20

Gilles Dufour
Cisco Employee
Cisco Employee
In response to cisco24x7

‎10-15-2008 05:43 AM

you do not have any other access to the device ?

What about console ? Do you also run tacacs on console ?

G.

0 Helpful

cisco24x7
Level 6
Level 6
In response to Gilles Dufour

‎10-15-2008 09:21 AM

This is what I did:

1- configure AAA configuration on the ACE box,

2- go to my Cisco ACS and stop the ACS service.

That enables me to log into the ACE box with

"admin/admin",

3- enable Cisco ACS service on the ACS server,

4- Now I can log into the ACE box with ngx1

account. However, I can not go into the

"conf t" mode.

0 Helpful

cisco24x7
Level 6
Level 6
In response to cisco24x7

‎10-16-2008 03:16 AM

Can anyone help? Thanks in advance.

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to cisco24x7

‎10-16-2008 03:39 AM

next thing is to get a sniffer trace of the TACACS exchange.

We'll need the key to decode.

You can also try to upgrade to A1(8a) or A3(1.0).

Finally, a service request with the TAC seems appropriate.

Gilles.

0 Helpful

rtanner
Level 1
Level 1
In response to Gilles Dufour

‎10-30-2008 06:02 PM

I found the following in the ACE 4700 release notes:

CSCsl48103-When the ACE is configured for TACACS+ authentication with a user context and the Cisco ACS sends the cisco-av-pair* attribute before the ACE custom shell attribute, you cannot log in to the ACE via TACACS+ and use the Admin role. Workaround: Do not use the ACE TACACS+ authentication for an Admin role. If you must use TACACS+ authentication for an Admin role, do not configure the Cisco ACS to send the cisco-av-pair* attribute.

www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/A1_x/release/note/RACEA1X.html

HTH

Ross

0 Helpful

cisco24x7
Level 6
Level 6
In response to rtanner

‎10-31-2008 05:34 AM

Are you saying that I do NOT need in Cisco ACS:

shell:Admin*Admin default-domain

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents