08-20-2014 10:56 AM
We're currently logging right into the enable mode when logging into the ACE30. Is there a way to log into a user mode and then use an enable password to get into the enable mode on the ACEs?
Thanks.
Greg....
Solved! Go to Solution.
08-21-2014 03:07 AM
Hi Greg,
Document with respect to ACE module
http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/getting/started/guide/ace_module_gsg/rbac.html
Regards
Karthik
08-21-2014 08:03 AM
Hi Greg,
Yes they can be used. ACE uses RBAC and for that you have to pass the context and User Role from Tacacs server to ACE to make it work.If there is no RBAC info pushed from Tacacs server and user just gets authenticated then the default role assigned by ACE is Network-Monitor.
For more details please visit the below document:
http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/v3-00_A2/configuration/security/guide/securgd/aaa.html
One more similar discussion around it:
https://supportforums.cisco.com/discussion/10194911/ace-setup-aaa-tacacs-using-cs-unix-acs
Regards,
Kanwal
Note: Please mark answers if they are helpful.
08-20-2014 11:20 AM
Hi Greg,
I don't see that is an option with ACE. You log in through supervisor or telnet/ssh to it, it logs into Exec mode directly. But with RBAC you can control what commands and privileges user who has logged in will have. For more details regarding this please visit the below link:
http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/quick/guide/rbac.html
Regards,
Kanwal
Note: Please mark answers if they are helpful
08-20-2014 11:54 AM
Thanks Kanwal. These are the ACE modules, not the appliances, so I am not sure if you could still do RBAC?
Thanks again.
_Greg
08-20-2014 11:59 AM
Hi Greg,
I have ACE30 with me and i just created a user test, assigned Network-Monitor role and i was able to access EXEC mode. But when i try to go to config mode it gives me error.
switch/Admin# conf t
^
% invalid command detected at '^' marker.
So yes we do have RBAC still and in modules. Below is my role:
switch/Admin# show role
Role: Network-Monitor (System-defined)
Description: Monitoring for all features
Number of rules: 5
---------------------------------------------
Rule Type Permission Feature
---------------------------------------------
1. Permit Monitor all
2. Permit Monitor changeto
3. Deny Create exec-commands
4. Deny Create fault-tolerance
5. Deny Create pki
switch/Admin# sh users test
User Context Line Login Time (Location) Role Domain(s)
*test Admin pts/2 Aug 20 11:53 (10.150.54.138) Network-Monitor default-domai
n
You can see role is Networ-monitor , context is Admin and user is test.
Regards,
Kanwal
Note: Please mark answers if they are helpful
08-21-2014 07:51 AM
Thanks Kanwal and Karthik.
Can these role based access controls be applied to TACACS id's as we're using TACACS for accessing the ACEs.
Thanks again.
_ Greg...
08-21-2014 08:03 AM
Hi Greg,
Yes they can be used. ACE uses RBAC and for that you have to pass the context and User Role from Tacacs server to ACE to make it work.If there is no RBAC info pushed from Tacacs server and user just gets authenticated then the default role assigned by ACE is Network-Monitor.
For more details please visit the below document:
http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/v3-00_A2/configuration/security/guide/securgd/aaa.html
One more similar discussion around it:
https://supportforums.cisco.com/discussion/10194911/ace-setup-aaa-tacacs-using-cs-unix-acs
Regards,
Kanwal
Note: Please mark answers if they are helpful.
08-22-2014 05:25 AM
Karthik, Kanwal, thanks much for your responses...
_Greg
08-21-2014 11:33 PM
Hi Greg,
Yes i agree with Kanwal. We need to add required shell parameters in TACACS server to provide admin access... else it will provide only monitor access....
sample log when we configure default user id in tacacs server...
lb01/Admin# show users
User Context Line Login Time (Location) Role Domain(s)
admin Admin pts/0 Nov 5 12:47 (10.78.26.233) Admin default-domain
*karthik Admin pts/1 Nov 5 13:25 (10.78.26.233) Network-Monitor default-domain
lb01/Admin#
Regards
Karthik
08-21-2014 03:07 AM
Hi Greg,
Document with respect to ACE module
http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/getting/started/guide/ace_module_gsg/rbac.html
Regards
Karthik
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: