Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

WAE, TACACS and ACS

I have a bit of a strange problem with authentication on my WAE boxes. I am using TACACS authentication for administrative access to the devices. (I didn't change the authentication on the WAAS box itself just in case I had any trouble) I am authenticating against a Cisco ACS appliance.

I have enabled both tacacs authentication and authorization on my WAEs. I can authenticate using my TACACS credentials. Unfortunately it puts me into "user" mode when I telnet or SSH in, not enable mode. It won't let me in via the web browser (seemingly no matter which credentials I use). If I use the enable command it prompts me for a password. I can then use the administrator password to get into enable mode.

All my other network devices are also using tacacs authentication and authorization. With that same account I can authenticate and get into enable mode using my tacacs credentials. My account has the shell(exec) box ticked in ACS and also is a member of a group that has a Max privilege of Level 15 and uses per-command authorization with all commands permitted.

Is there anything special that needs to be done to get the WAAS or WAE boxes to see my account as a level 15 account rather than requiring me to use the administrator password as well?

Thanks in advance,

Peter

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: WAE, TACACS and ACS

Peter,

The account in ACS also needs to be configured with a 'Privilege level' (1 or 15) for the shell service under the TACACS+ Settings.

Note that authorization only applies to terminal (console, telnet, etc.) sessions. In order to access the WAE GUI interface using your TACACS credentials, you will need to create a user account in the CM under:

System > AAA > Users

Under the user account information, check the box titled 'WAE Device Manager User' and select an access mode.

Zach

7 REPLIES
Cisco Employee

Re: WAE, TACACS and ACS

Peter,

The account in ACS also needs to be configured with a 'Privilege level' (1 or 15) for the shell service under the TACACS+ Settings.

Note that authorization only applies to terminal (console, telnet, etc.) sessions. In order to access the WAE GUI interface using your TACACS credentials, you will need to create a user account in the CM under:

System > AAA > Users

Under the user account information, check the box titled 'WAE Device Manager User' and select an access mode.

Zach

New Member

Re: WAE, TACACS and ACS

Zach,

Thanks you sorted out my problem. I must say that AAA configuration / assigning roles for the GUI is extremely couter-intuitive.

Peter

New Member

Re: WAE, TACACS and ACS

Zach,

Is there a programatic way to create these user accounts and assign the appropriate permission level? We have over 300 users in our system and I don't want to enter each one manually.

Not to mention the day to day maintnance when people leave or join the company.

- Bill

Cisco Employee

Re: WAE, TACACS and ACS

Bill,

Currently authorization is still provided locally by CM. In a future release, we will support full AAA through an external entity, such as ACS. This will negate the need to manage local user accounts.

Zach

New Member

Re: WAE, TACACS and ACS

Hello

Will this be fixed in 4.1?

Thanks

Cisco Employee

Re: WAE, TACACS and ACS

Cameron,

The WAAS 4.1 release adds the ability to configure permissions in the Central Manager based on user groups, and then associate one or more groups with user accounts in an ACS server.

Zach

New Member

Re: WAE, TACACS and ACS

Just out of interest, has anybody got this functionality to work with user groups in 4.1? I am able to login to the CM, however, there are not privileges to do anything. I've setup the group "NSE" in CM to match TACACS (Cisco ACS) and gave that group admin privileges. I am able to telnet to the devices with admin privileges without a problem.

I've attached the syslogs from the CM of the test account logging in.

902
Views
10
Helpful
7
Replies