Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Silver

ACE 4700 and Cisco ACS aaa authentication

ACE version Software

loader: Version 0.95

system: Version A1(7b) [build 3.0(0)A1(7b)

Cisco ACS version 4.0.1

I am trying to authenticate admin users with AAA authentication for ACE management.

This is what I've done:

ACE-lab/Admin(config)# tacacs-server host 192.168.3.10 key 123456 port 49

warning: numeric key will not be encrypted

ACE-lab/Admin(config)# aaa group server tacacs+ cciesec

ACE-lab/Admin(config-tacacs+)# server ?

<A.B.C.D> TACACS+ server name

ACE-lab/Admin(config-tacacs+)# server 192.168.3.10

can not find the TACACS+ server

specified TACACS+ server not found, please configure it using tacacs-server host ... and then retry

ACE-lab/Admin(config-tacacs+)#

Why am I getting this error? I have full

connectivity between the ACE and the ACS

server. Furthermore, the ACS server

works fine with other Cisco IOS devices.

Please help. Thanks.

20 REPLIES
Silver

Re: ACE 4700 and Cisco ACS aaa authentication

Can any ACE gurus help me out here? Thanks.

Cisco Employee

Re: ACE 4700 and Cisco ACS aaa authentication

the problem is the numeric key.

Change the key to something non-numeric.

Gilles.

Cisco Employee

Re: ACE 4700 and Cisco ACS aaa authentication

BTW, I have created a new bug for this CSCsv04319 so we can make the error message more explicit or accept the key even if all numeric.

Not sure yet which we way we will go.

Thanks for reporting the problem.

Gilles.

Silver

Re: ACE 4700 and Cisco ACS aaa authentication

Thanks. Now I have another problem. I CAN

log into the ACE via tacacs+ account(s).

However, I get error when I try going into

configuration mode:

ACE-lab login: ngx1

Password:

Cisco Application Control Software (ACSW)

TAC support: http://www.cisco.com/tac

Copyright (c) 1985-2007 by Cisco Systems, Inc. All rights reserved.

The copyrights to certain works contained herein are owned by

other third parties and are used and distributed under license.

Some parts of this software are covered under the GNU Public

License. A copy of the license is available at

http://www.gnu.org/licenses/gpl.html.

ACE-lab/Admin# conf t

^

% invalid command detected at '^' marker.

ACE-lab/Admin#

The ngx1 account can access other Cisco

routers/switches just fine and can go into

enable mode just fine. Only issue on the ACE.

Any ideas? Thanks.

Cisco Employee

Re: ACE 4700 and Cisco ACS aaa authentication

ACE doesn't like the '=' in AV pair.

So you might have to do something like below to make sure you end up with the right role.

shell:Admin*Admin default-domain

instead of

shell:Admin=Admin default-domain

Silver

Re: ACE 4700 and Cisco ACS aaa authentication

where do I find that in Cisco ACS? I am not

using any AV pair.

Why is ACE so different that Cisco IOS

routers or ASA? If I am not configuring

AAA authorization on the device, why should

it matter with shell Admin

I also setup the grop which ngx1 account in

Cisco ACS, by default, is permitted to use

ALL services but it is not working either.

Re: ACE 4700 and Cisco ACS aaa authentication

Silver

Re: ACE 4700 and Cisco ACS aaa authentication

Ok. This is what I did:

On your Tacacs Server

1. Select group that ngx1 user belongs to,

2. Scroll down to tacacs+ setting

3. check "shell(exec)" option

4. check "custom attributes"

5. In the custom attributes window add the custom AV-Pair info in the following format:

shell:Admin*Admin default-domain

restart ACS service.

Try to login again and same result.

Anyone know why?

Re: ACE 4700 and Cisco ACS aaa authentication

Run the following command

show user-account

Within this command output what role do you see for the user you are logged in as.

Since its not working I suspect it would say

"Network Monitor" (default). If that is the

case then most likely cause is the Cisco AV-Pair information is not entered correctly.

Syed Iftekhar Ahmed

Silver

Re: ACE 4700 and Cisco ACS aaa authentication

ACE-lab/Admin# sh user-account | b ngx1

user:ngx1

roles: Network-Monitor

domain: default-domain

Context: Admin

account created through REMOTE authentication

Local login not possible

ACE-lab/Admin#

Now how do I go about fixing it? I followed

the instructions you suggested steps by steps.

Silver

Re: ACE 4700 and Cisco ACS aaa authentication

Can gurus in this forum help me resolve this

issue? Thank you.

Cisco Employee

Re: ACE 4700 and Cisco ACS aaa authentication

if your ACS setup has the correct line

shell:Admin*Admin default-domain with the correct names (case sensitive) then it should work.

If everything looks good do

debug aaa aaa-req

debug aaa events

debug aaa error

Try to login and see what you get.

Gilles.

Silver

Re: ACE 4700 and Cisco ACS aaa authentication

I can log in fine with the AAA credential but

I can NOT run any debug aaa commands:

ACE-lab login: ngx1

Password:

Cisco Application Control Software (ACSW)

TAC support: http://www.cisco.com/tac

Copyright (c) 1985-2007 by Cisco Systems, Inc. All rights reserved.

The copyrights to certain works contained herein are owned by

other third parties and are used and distributed under license.

Some parts of this software are covered under the GNU Public

License. A copy of the license is available at

http://www.gnu.org/licenses/gpl.html.

ACE-lab/Admin# conf t

^

% invalid command detected at '^' marker.

ACE-lab/Admin# debug aaa aaa-req

^

% invalid command detected at '^' marker.

ACE-lab/Admin#

Silver

Re: ACE 4700 and Cisco ACS aaa authentication

the debug AAA reveals in the attachment. Can

someone help?

Cisco Employee

Re: ACE 4700 and Cisco ACS aaa authentication

you do not have any other access to the device ?

What about console ? Do you also run tacacs on console ?

G.

Silver

Re: ACE 4700 and Cisco ACS aaa authentication

This is what I did:

1- configure AAA configuration on the ACE box,

2- go to my Cisco ACS and stop the ACS service.

That enables me to log into the ACE box with

"admin/admin",

3- enable Cisco ACS service on the ACS server,

4- Now I can log into the ACE box with ngx1

account. However, I can not go into the

"conf t" mode.

Silver

Re: ACE 4700 and Cisco ACS aaa authentication

Can anyone help? Thanks in advance.

Cisco Employee

Re: ACE 4700 and Cisco ACS aaa authentication

next thing is to get a sniffer trace of the TACACS exchange.

We'll need the key to decode.

You can also try to upgrade to A1(8a) or A3(1.0).

Finally, a service request with the TAC seems appropriate.

Gilles.

Community Member

Re: ACE 4700 and Cisco ACS aaa authentication

I found the following in the ACE 4700 release notes:

CSCsl48103-When the ACE is configured for TACACS+ authentication with a user context and the Cisco ACS sends the cisco-av-pair* attribute before the ACE custom shell attribute, you cannot log in to the ACE via TACACS+ and use the Admin role. Workaround: Do not use the ACE TACACS+ authentication for an Admin role. If you must use TACACS+ authentication for an Admin role, do not configure the Cisco ACS to send the cisco-av-pair* attribute.

www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/A1_x/release/note/RACEA1X.html

HTH

Ross

Silver

Re: ACE 4700 and Cisco ACS aaa authentication

Are you saying that I do NOT need in Cisco ACS:

shell:Admin*Admin default-domain

1615
Views
0
Helpful
20
Replies
CreatePlease to create content