Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

AAA Authentication Question

I'm using MDS 2916 and Cisco ACS 3.1.

I'm able to create user accounts in ACS who can successfully log on to MDS 2916 via telnet. However, thes user have "Network-operator" privileges. How can I give this TACACS+ user accounts "Network-admin" privileges.

8 REPLIES
Cisco Employee

Re: AAA Authentication Question

The network-admin attribute will be passed to the MDS as an AV-Pair.

In order to do this, follow these steps:

1. go to your ACS server

2. select your user

3. All the way down there is a table named: TACACS+ Settings

4. Check Shell (exec) and Custom attributes

5. In the following edit box put this:

cisco-av-pair=shell:roles="network-admin"

This will return the role "network-admin" to the MDS for that specific

user.

Community Member

Re: AAA Authentication Question

I successfully modified my user and was authenticated as Network Admin in the MDS. However, when I try to log in into my routers I get the following message:

TAC+: Received Attribute "shell:roles="network-admin""

AAA/AUTHOR/EXEC: received unknown mandatory AV: shell:roles="network-admin"

AAA/AUTHOR/EXEC: Authorization FAILED

Do I have to create 1 user to administrate my routers and 1 user for my MDS?

Thanks for your help

Cisco Employee

Re: AAA Authentication Question

Starting with 1.3.5 SAN-OS, you can apply the following in TACACs so a MDS user will get to be admin. However, the following does not interfere with the IOS enable privleges. In a nutshell, if you want it all to work together, upgrade the MDS's to 1.3.5 and in the server, use one of the following:

cisco-av-pair*shell:roles="network-admin"

cisco-av-pair*shell:roles*"network-admin"

cisco-av-pair=shell:roles*"network-admin"

cisco-av-pair=shell:roles="network-admin"

Community Member

Re: AAA Authentication Question

I applied the

cisco-av-pair*shell:roles="network-admin"

command in my TACACS settings and I have successfully logged in into my router and MDS 9K (OS 1.3.4a).

However, I have experienced some problems in the login process for the MDS (It seems like a bug). Sometimes it works and sometimes it doesn’t. Maybe it's the bug that ARueda is talking about (CSCee83961).

Pura Vida

Community Member

Re: AAA Authentication Question

that is part of the bug, when you have a somewhat large cisco environment with multiple ethernet and fiber gear this becomes more clear. the bug does affect Cisco's IOS but given the large IOS base,it was easier to fix SanOS. I am going to load 2 on one of our production switches this weekend. if you want me to i can keep you posted.

Community Member

Re: AAA Authentication Question

Thank you, yes, please keep me posted.

Community Member

Re: AAA Authentication Question

there is a fix to this on the new release of SanOS v 2.

you can not have both local and acs authentication working on SAnOs V1.3x. I reported the bug back in July of 2004 and finaly got fixed!

this is bug exists on MDs9K series but i would believe that it would apply to yours.

Community Member

Re: AAA Authentication Question

Thanks for the info, it was very helpful.

Pura Vida

453
Views
19
Helpful
8
Replies
CreatePlease to create content