Solved: Hi Greg,Yes they can be used.

axfalk · ‎08-20-2014

We're currently logging right into the enable mode when logging into the ACE30. Is there a way to log into a user mode and then use an enable password to get into the enable mode on the ACEs?

Thanks.

Greg....

nkarthikeyan · ‎08-21-2014

Hi Greg,

Document with respect to ACE module

http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/getting/started/guide/ace_module_gsg/rbac.html

Regards

Karthik

View solution in original post

Kanwaljeet Singh · ‎08-21-2014

Hi Greg,

Yes they can be used. ACE uses RBAC and for that you have to pass the context and User Role from Tacacs server to ACE to make it work.If there is no RBAC info pushed from Tacacs server and user just gets authenticated then the default role assigned by ACE is Network-Monitor.

For more details please visit the below document:

http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/v3-00_A2/configuration/security/guide/securgd/aaa.html

One more similar discussion around it:

https://supportforums.cisco.com/discussion/10194911/ace-setup-aaa-tacacs-using-cs-unix-acs

Regards,

Kanwal

Note: Please mark answers if they are helpful.

View solution in original post

Kanwaljeet Singh · ‎08-20-2014

Hi Greg,

I don't see that is an option with ACE. You log in through supervisor or telnet/ssh to it, it logs into Exec mode directly. But with RBAC you can control what commands and privileges user who has logged in will have. For more details regarding this please visit the below link:

http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/quick/guide/rbac.html

Regards,

Kanwal

Note: Please mark answers if they are helpful

axfalk · ‎08-20-2014

Thanks Kanwal. These are the ACE modules, not the appliances, so I am not sure if you could still do RBAC?

Thanks again.

_Greg

Kanwaljeet Singh · ‎08-20-2014

Hi Greg,

I have ACE30 with me and i just created a user test, assigned Network-Monitor role and i was able to access EXEC mode. But when i try to go to config mode it gives me error.

switch/Admin# conf t
^
% invalid command detected at '^' marker.

So yes we do have RBAC still and in modules. Below is my role:

switch/Admin# show role

Role: Network-Monitor (System-defined)
Description: Monitoring for all features
Number of rules: 5
---------------------------------------------
Rule    Type    Permission      Feature
---------------------------------------------
   1.   Permit   Monitor                 all
   2.   Permit   Monitor            changeto
   3.     Deny    Create       exec-commands
   4.     Deny    Create     fault-tolerance
   5.     Deny    Create                 pki

switch/Admin# sh users test
User Context Line Login Time (Location) Role Domain(s)
*test Admin pts/2 Aug 20 11:53 (10.150.54.138) Network-Monitor default-domai
n

You can see role is Networ-monitor , context is Admin and user is test.

Regards,

Kanwal

Note: Please mark answers if they are helpful

axfalk · ‎08-21-2014

Thanks Kanwal and Karthik.

Can these role based access controls be applied to TACACS id's as we're using TACACS for accessing the ACEs.

Thanks again.

_ Greg...

Kanwaljeet Singh · ‎08-21-2014

Hi Greg,

Yes they can be used. ACE uses RBAC and for that you have to pass the context and User Role from Tacacs server to ACE to make it work.If there is no RBAC info pushed from Tacacs server and user just gets authenticated then the default role assigned by ACE is Network-Monitor.

For more details please visit the below document:

http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/v3-00_A2/configuration/security/guide/securgd/aaa.html

One more similar discussion around it:

https://supportforums.cisco.com/discussion/10194911/ace-setup-aaa-tacacs-using-cs-unix-acs

Regards,

Kanwal

Note: Please mark answers if they are helpful.

axfalk · ‎08-22-2014

Karthik, Kanwal, thanks much for your responses...

_Greg

nkarthikeyan · ‎08-21-2014

Hi Greg,

Yes i agree with Kanwal. We need to add required shell parameters in TACACS server to provide admin access... else it will provide only monitor access....

sample log when we configure default user id in tacacs server...

lb01/Admin# show users

User Context Line Login Time (Location) Role Domain(s)

admin Admin pts/0 Nov 5 12:47 (10.78.26.233) Admin default-domain

*karthik Admin pts/1 Nov 5 13:25 (10.78.26.233) Network-Monitor default-domain

lb01/Admin#

Regards

Karthik

nkarthikeyan · ‎08-21-2014

Hi Greg,

Document with respect to ACE module

http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/getting/started/guide/ace_module_gsg/rbac.html

Regards

Karthik

logging into the user mode on the ACE