Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

ACE Appliance & AAA

hi there,

we've 2 CISCO ACE-Appliance in use since a few weeks.

they should be able to work with tacacs+. but i've find no way to configure the ace with the tacacs+ login. so, loggin in is possible, but only in the role "Network-Monitor". so I can not configure. we need to login with the role "Admin".

We 're using CISCO-Secure for tacacs+ login.

can anyone help?

thanks, K. Liepold

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ACE Appliance & AAA

On your Tacacs Server

1. Select user

2. Scroll down to tacacs+ setting

3. check "shell(exec)" option

4. check "custom attributes"

5. In the custom attributes window add the custom AV-Pair info in the following format:

shell:* default-domain

For example if you setting it for Admin context and Admin user then use the following

shell:Admin*Admin default-domain.

Just to let you know that

"Data Center" area is the right place to ask ACE related questions.

Thanks

Syed Iftekhar Ahmed

4 REPLIES

Re: ACE Appliance & AAA

On your Tacacs Server

1. Select user

2. Scroll down to tacacs+ setting

3. check "shell(exec)" option

4. check "custom attributes"

5. In the custom attributes window add the custom AV-Pair info in the following format:

shell:* default-domain

For example if you setting it for Admin context and Admin user then use the following

shell:Admin*Admin default-domain.

Just to let you know that

"Data Center" area is the right place to ask ACE related questions.

Thanks

Syed Iftekhar Ahmed

New Member

Re: ACE Appliance & AAA

ok. data center. is saved in my brain ;-)

but:

it works!

1.000 thanks... :-)

k. liepold

New Member

Re: ACE Appliance & AAA

Many thanks for this tip also - it's better than the manual!

The ACE 4710 security guide says

shell:= ...

But when I tried that on a group in ACS, all my admins were unable to log in to IOS devices any more.

Replacing the = with * as you suggest causes that problem to go away.

If anyone from Cisco is lurking here, please can you get the guide changed? It's very dangerous advice if your admins also administer IOS devices.

Re: ACE Appliance & AAA

Just to clarify why it worked with *

* represent optional attribute that can be ignored by a device where as = means mandatory

attrib. If an attrib is not supported by a device it will drop the auth request, by replacing = with * made the attrib optional for IOS devices (devices that donot understand these av-pairs sent by ACE)

Copied from TACACS draft

"The authorization arguments in both the REQUEST and the RESPONSE are

attribute-value pairs. The attribute and the value are in a single

ascii string and are separated by either a "=" (0X3D) or a "*"

(0X2A). The equals sign indicates a mandatory argument. The asterisk

indicates an optional one."

Syed Iftekhar Ahmed

358
Views
5
Helpful
4
Replies
CreatePlease to create content