Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1342
Views
19
Helpful
8
Replies

AAA Authentication Question

kendo.igor
Level 1
Level 1

‎02-07-2004 08:52 PM

I'm using MDS 2916 and Cisco ACS 3.1.

I'm able to create user accounts in ACS who can successfully log on to MDS 2916 via telnet. However, thes user have "Network-operator" privileges. How can I give this TACACS+ user accounts "Network-admin" privileges.

Labels:
0 Helpful
8 Replies 8

tblancha
Cisco Employee
Cisco Employee

‎02-08-2004 03:52 PM

The network-admin attribute will be passed to the MDS as an AV-Pair.

In order to do this, follow these steps:

1. go to your ACS server

2. select your user

3. All the way down there is a table named: TACACS+ Settings

4. Check Shell (exec) and Custom attributes

5. In the following edit box put this:

cisco-av-pair=shell:roles="network-admin"

This will return the role "network-admin" to the MDS for that specific

user.

obrenes
Level 1
Level 1
In response to tblancha

‎10-25-2004 01:28 PM

I successfully modified my user and was authenticated as Network Admin in the MDS. However, when I try to log in into my routers I get the following message:

TAC+: Received Attribute "shell:roles="network-admin""

AAA/AUTHOR/EXEC: received unknown mandatory AV: shell:roles="network-admin"

AAA/AUTHOR/EXEC: Authorization FAILED

Do I have to create 1 user to administrate my routers and 1 user for my MDS?

Thanks for your help

0 Helpful

tblancha
Cisco Employee
Cisco Employee
In response to obrenes

‎10-25-2004 02:50 PM

Starting with 1.3.5 SAN-OS, you can apply the following in TACACs so a MDS user will get to be admin. However, the following does not interfere with the IOS enable privleges. In a nutshell, if you want it all to work together, upgrade the MDS's to 1.3.5 and in the server, use one of the following:

cisco-av-pair*shell:roles="network-admin"

cisco-av-pair*shell:roles*"network-admin"

cisco-av-pair=shell:roles*"network-admin"

cisco-av-pair=shell:roles="network-admin"

obrenes
Level 1
Level 1
In response to tblancha

‎11-11-2004 07:48 AM

I applied the

cisco-av-pair*shell:roles="network-admin"

command in my TACACS settings and I have successfully logged in into my router and MDS 9K (OS 1.3.4a).

However, I have experienced some problems in the login process for the MDS (It seems like a bug). Sometimes it works and sometimes it doesn’t. Maybe it's the bug that ARueda is talking about (CSCee83961).

Pura Vida

0 Helpful

Arueda
Level 1
Level 1
In response to obrenes

‎11-11-2004 09:43 AM

that is part of the bug, when you have a somewhat large cisco environment with multiple ethernet and fiber gear this becomes more clear. the bug does affect Cisco's IOS but given the large IOS base,it was easier to fix SanOS. I am going to load 2 on one of our production switches this weekend. if you want me to i can keep you posted.

0 Helpful

obrenes
Level 1
Level 1
In response to Arueda

‎11-12-2004 07:17 AM

Thank you, yes, please keep me posted.

0 Helpful

Arueda
Level 1
Level 1

‎11-10-2004 09:47 AM

there is a fix to this on the new release of SanOS v 2.

you can not have both local and acs authentication working on SAnOs V1.3x. I reported the bug back in July of 2004 and finaly got fixed!

this is bug exists on MDs9K series but i would believe that it would apply to yours.

obrenes
Level 1
Level 1
In response to Arueda

‎11-11-2004 08:03 AM

Thanks for the info, it was very helpful.

Pura Vida

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents