cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2510
Views
0
Helpful
20
Replies

ACE 4700 and Cisco ACS aaa authentication

cisco24x7
Level 6
Level 6

ACE version Software

loader: Version 0.95

system: Version A1(7b) [build 3.0(0)A1(7b)

Cisco ACS version 4.0.1

I am trying to authenticate admin users with AAA authentication for ACE management.

This is what I've done:

ACE-lab/Admin(config)# tacacs-server host 192.168.3.10 key 123456 port 49

warning: numeric key will not be encrypted

ACE-lab/Admin(config)# aaa group server tacacs+ cciesec

ACE-lab/Admin(config-tacacs+)# server ?

<A.B.C.D> TACACS+ server name

ACE-lab/Admin(config-tacacs+)# server 192.168.3.10

can not find the TACACS+ server

specified TACACS+ server not found, please configure it using tacacs-server host ... and then retry

ACE-lab/Admin(config-tacacs+)#

Why am I getting this error? I have full

connectivity between the ACE and the ACS

server. Furthermore, the ACS server

works fine with other Cisco IOS devices.

Please help. Thanks.

20 Replies 20

cisco24x7
Level 6
Level 6

Can any ACE gurus help me out here? Thanks.

the problem is the numeric key.

Change the key to something non-numeric.

Gilles.

BTW, I have created a new bug for this CSCsv04319 so we can make the error message more explicit or accept the key even if all numeric.

Not sure yet which we way we will go.

Thanks for reporting the problem.

Gilles.

Thanks. Now I have another problem. I CAN

log into the ACE via tacacs+ account(s).

However, I get error when I try going into

configuration mode:

ACE-lab login: ngx1

Password:

Cisco Application Control Software (ACSW)

TAC support: http://www.cisco.com/tac

Copyright (c) 1985-2007 by Cisco Systems, Inc. All rights reserved.

The copyrights to certain works contained herein are owned by

other third parties and are used and distributed under license.

Some parts of this software are covered under the GNU Public

License. A copy of the license is available at

http://www.gnu.org/licenses/gpl.html.

ACE-lab/Admin# conf t

^

% invalid command detected at '^' marker.

ACE-lab/Admin#

The ngx1 account can access other Cisco

routers/switches just fine and can go into

enable mode just fine. Only issue on the ACE.

Any ideas? Thanks.

ACE doesn't like the '=' in AV pair.

So you might have to do something like below to make sure you end up with the right role.

shell:Admin*Admin default-domain

instead of

shell:Admin=Admin default-domain

where do I find that in Cisco ACS? I am not

using any AV pair.

Why is ACE so different that Cisco IOS

routers or ASA? If I am not configuring

AAA authorization on the device, why should

it matter with shell Admin

I also setup the grop which ngx1 account in

Cisco ACS, by default, is permitted to use

ALL services but it is not working either.

Ok. This is what I did:

On your Tacacs Server

1. Select group that ngx1 user belongs to,

2. Scroll down to tacacs+ setting

3. check "shell(exec)" option

4. check "custom attributes"

5. In the custom attributes window add the custom AV-Pair info in the following format:

shell:Admin*Admin default-domain

restart ACS service.

Try to login again and same result.

Anyone know why?

Run the following command

show user-account

Within this command output what role do you see for the user you are logged in as.

Since its not working I suspect it would say

"Network Monitor" (default). If that is the

case then most likely cause is the Cisco AV-Pair information is not entered correctly.

Syed Iftekhar Ahmed

ACE-lab/Admin# sh user-account | b ngx1

user:ngx1

roles: Network-Monitor

domain: default-domain

Context: Admin

account created through REMOTE authentication

Local login not possible

ACE-lab/Admin#

Now how do I go about fixing it? I followed

the instructions you suggested steps by steps.

Can gurus in this forum help me resolve this

issue? Thank you.

if your ACS setup has the correct line

shell:Admin*Admin default-domain with the correct names (case sensitive) then it should work.

If everything looks good do

debug aaa aaa-req

debug aaa events

debug aaa error

Try to login and see what you get.

Gilles.

I can log in fine with the AAA credential but

I can NOT run any debug aaa commands:

ACE-lab login: ngx1

Password:

Cisco Application Control Software (ACSW)

TAC support: http://www.cisco.com/tac

Copyright (c) 1985-2007 by Cisco Systems, Inc. All rights reserved.

The copyrights to certain works contained herein are owned by

other third parties and are used and distributed under license.

Some parts of this software are covered under the GNU Public

License. A copy of the license is available at

http://www.gnu.org/licenses/gpl.html.

ACE-lab/Admin# conf t

^

% invalid command detected at '^' marker.

ACE-lab/Admin# debug aaa aaa-req

^

% invalid command detected at '^' marker.

ACE-lab/Admin#

the debug AAA reveals in the attachment. Can

someone help?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: