TACACS Custom Attributes

bclough · ‎09-24-2008

I am trying to configure a user to authenticate using a Cisco ACS v4.1. The user will require access to a Cisco ACE module using a specific role and domain. In order to do this I need to add the following to the TACACS custom attribuets: "shell:development=Server-Maintenance dba". The user also should be able to authenticate and access routers and switches at privilege level 15.

If I leave the custom attributes out, the user can access the router/switches, but not the ACE. If I add the custom attributes in, the user can access the ACE but not the routers/switches.

What do I need to do to be able to access both with the same account??

yjdabear · ‎09-24-2008

This post in the AAA forum seems to address the exact same issue:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&topicID=.ee6e1fe&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddcad55/0#selected_message

bclough · ‎09-24-2008

Unfortunately that solution does not work for me. On some of the IOS devices I get logged in at privilege level 0 and can then change to level 15. On other IOS devices I get an "authorization failed" message and then the session closes. Without the ACE attributes set both systems log me in with privilege level 15.

The TACACS configuration appears to be identical on both systems.

Any ideas??

bclough · ‎09-24-2008

I found the solution to the problem. The custom attributes for the ACE must be configured as optional (using *) rather than mandatory (using =). Therefore, this will work:

shell:development*Admin default-domain

But this will not:

shell:development=Admin default-domain