12-26-2008 06:13 PM
Hi,
I have recently opened a TAC case on an issue I'm having with authenticating user via TACACS on the ACE 4710.
The TAC engineer is telling me that for the authentication to work I need that same user to also have an account on the proper context (Admin context in this case). For example if I get a ACS account named netadmin, I will also need to create that account on the ACE 4710 (Kind of like MARS...).
Is this true?
From the past posts I have read it seems people have gotten this to work by using the following two steps:
A. Configure ACS properly
1. Select user
2. Scroll down to tacacs+ setting
3. check "shell(exec)" option
4. check "custom attributes"
5. Add the custom AV-Pair info in the following format:
shell:Admin*Admin default-domain.
6. Save / and then stop/start ACS services
B. Configure the ACE
tacacs-server host a.b.c.d key XXXXXX
aaa group server tacacs+ TACACS
server a.b.c.d
aaa authentication login default group TACACS local
aaa authentication login console none
aaa accounting default group TACACS local
aaa authentication login error-enable
Are there people out there using this successfully without the ACS accounts needing to also be on the ACE?
Thanks in advance!
Brad
Solved! Go to Solution.
12-29-2008 04:28 AM
Hi,
We have ACE Appliances working with ACS without having to create local accounts - and your process looks ok too (your ACE config is identical to mine).
Check out this thread for a similar issue:
HTH
Andrew.
12-29-2008 04:28 AM
Hi,
We have ACE Appliances working with ACS without having to create local accounts - and your process looks ok too (your ACE config is identical to mine).
Check out this thread for a similar issue:
HTH
Andrew.
12-29-2008 07:26 AM
That helps very much! Thank you Andrew!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide