Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Custom attribute on group in ACS for ACE

I am working setting up RBAC on my ACE-device. To give a user a specific role one use the Custom attribute "shell:<Context>*<Role> <Domain>".

The command is working if I define it directly on the user in adittion using Custom attribute directly. With that I meen not use a TACACS+ (Cisco IOS) -> "New Service" attached to the user.

Have anyone gotten this to work wither with (optional) or a "TACACS+ (Cisco IOS)-service". The same goes for both appliance and module.

Also, I am looking to get this working on a group. Not only on a user.

Thanks in advance for any help!

Everyone's tags (6)

Re: Custom attribute on group in ACS for ACE

Hello Ole Marius!

Take a look at the document I attached, it is a brief walkthrough on setting up TACACS+ (Cisco IOS) with ACE using either individual or groups.  You should not use, nor need the new service/optional configuration for this to work with ACE.


Chris Higgins

New Member

Re: Custom attribute on group in ACS for ACE

Hi Christopher and thanks for the responce!

I have allready tried as you asked and do manage to log inn with the correct role using the Custom Attriute directly on the user. The problems I am facing  are generally two:

  1. I have experiences that setting a shell-command directly on a user, and not through a "New Service", can cause problems when logging in on other Cisco-devices using the same ACS-server and user (eg. the non-ACE will freeze/crash/etc.). An (optional)-tag or using "New Service" has solved this problem earlier. Will the * guarantee for this not to happen as it is said to make the command optional? The organization I am implementing this for has a wide range of Cisco-products. Testing each type at every SW-upgrade for this bug will be a enormous task.
  2. I can not make this work when applying the same shell-command to a User Group (I only get logged in as Network-Monitor). Have you gotten it to work using groups? In that case, which version of ACS and ACE are you using? The organization I am implementing this for is a large one. Managing each users one by one is not an option.


Ole M. Steinkjer


Re: Custom attribute on group in ACS for ACE

Using "*" in the custom attribute means that the device recieving those details should ignore it if it does not understand the input.  "=" forces the device to parse the input wether it understands it or not.  We only support specific products, so I can say for our other Content devices, "*" works just fine.  It "should" work with other Cisco devices assuming you don't hit bugs on those devices.

For the group, I have had it work in the past, but I will check again in my lab and get back to you with the settings/version information!


Chris Higgins

CreatePlease to create content