cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
939
Views
0
Helpful
6
Replies

Problem ACE with tacacs

Dear Mister

 

I have the next trouble. I have a ACE software with version A5(1.2) Before we use the version A3.1. Well, after the change (everything is with the same configuration), when I tried to configure the context and equipment, is impossible. I do ..

switch/cert# conf t
             ^
% invalid command detected at '^' marker.

But the user is authenticated. I do a show role, and I get this:

switch/cert# show role

 Role: Network-Monitor (System-defined)
 Description: Monitoring for all features
 Number of rules: 4
  ---------------------------------------------
  Rule    Type    Permission      Feature
  ---------------------------------------------
   1.   Permit   Monitor                 all
   3.     Deny    Create       exec-commands
   4.     Deny    Create     fault-tolerance
   5.     Deny    Create                 pki

 

The running configuration about tacacs is the next (with the another version functioned):

tacacs-server host 10.20.2.80 key 7 "wjzyhlpx"
tacacs-server host 10.20.16.138 key 7 "wjzyhlpx"
aaa group server tacacs+ TACACS
  server 10.20.2.80
  server 10.20.16.138

aaa authentication login default group TACACS local

I accept any suggestion.

 

Best Regards

 

 

 

 

6 Replies 6

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi Rodrigo,

I see in "show role" that you have only "network-monitor" role. Please login with user who has appropriate privileges like admin and you should not face this problem. For instance, a user with privileges would look like this:

switch/Admin# sh role

 Role: Admin (System-defined)
 Description: Administrator
 Number of rules: 5
  ---------------------------------------------
  Rule    Type    Permission      Feature
  ---------------------------------------------
   1.   Permit    Create                 all
   2.   Permit    Create         user access
   3.   Permit    Create              system
   4.   Permit    Create            changeto
   5.   Permit    Create       exec-commands


You have different options which you can select and use but the one you are using has only "Monitor" option.

I didn't get your question regarding TACACS. Could you please clarify on that.

Hope this helps!

Regards,

Kanwal

 

 

 

OK. Thanks four your answer.

But, in this case the tacacs is not ACS Cisco. Is another TACACS.

 

The question is ... how I can change the role from  "network-monitor" toward "Admin"???  Because the user database is external (using tacacs not Cisco).

 

What must to get the ACE, also to the username??

 

O , how can I change the role default in ace??

 

Regards

 

Hi Rodrigo,

The role seems to be system defined. You should have a user role with which you should be able to  login and make changes. With network monitor role, you cannot do anything. I am not sure if you can change it on your TACACS.

Regards,

Kanwal

Thank Mister

 

The most strange thing, is than we have another context (in the same module, with the same configuration tacacs and aaa) and the user connection function.

 

Best Regards

Hi, Since the users are created on tacacs server, you need to check tacacs server for ace users roles for each context.

Regards

Hello, maybe... TACACS server must be able to send and receive attributes in messages with a value. For example lets say I have the Admin context, following server config would apply in the shell profile:

Attribute) shell:Admin

Value) Admin default-domain

Same with ACS too.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: