ACE and AAA (TACACS+)

Similar Messages

• ACE and AAA (TACACS) part 2

  Hi there,
  i have configuerd my acs with an custom attribute : shell:Admin=Admin. AAA with the ACE works fine... But now i can't login into my switches :-( i got the massage authorization failed. Here is the aaa debug from the switch :
  Jul 12 13:41:38.433 UTC: AAA: parse name=tty2 idb type=-1 tty=-1
  Jul 12 13:41:38.441 UTC: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
  Jul 12 13:41:38.441 UTC: AAA/MEMORY: create_user (0x16E1F28) user='NULL' ruser='NULL' ds0=0 port='tty2' rem_addr='*******' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
  Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): Port='tty2' list='' service=EXEC
  Jul 12 13:41:44.590 UTC: AAA/AUTHOR/EXEC: tty2 (945064986) user='*******'
  Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): send AV service=shell
  Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): send AV cmd*
  Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): found list "default"
  Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): Method=tacacs+ (tacacs+)
  Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): user=*******
  Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): send AV service=shell
  Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): send AV cmd*
  Jul 12 13:41:44.799 UTC: AAA/AUTHOR (945064986): Post authorization status = PASS_ADD
  Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV service=shell
  Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV cmd*
  Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15
  Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV shell:Admin=Admin
  Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: received unknown mandatory AV: shell:Admin=Admin
  Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Authorization FAILED
  Jul 12 13:41:46.804 UTC: AAA/MEMORY: free_user (0x16E1F28) user='*******' ruser='NULL' port='tty2' rem_addr='*******' authen_type=AS
  Any idea what's wrong ??
  Best regards Dirk

  Hi ,
  i've got the following info from a user here in the forum :
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_guide_chapter09186a0080686bbb.html#wp1519045
  [quote]
  The user profile attribute serves an important configuration function configuration for a TACACS+ server group. If the user profile attribute is not obtained from the server during authentication, or if the profile is obtained from the server but the context name(s) in the profile do not match the context in which the user is trying to log in, the default role (Network-Monitor) and default domain (default-domain) will be assigned to the user provided the authentication is successful.
  [quote end]
  In this way i configured the ACS...
  Be carefull with the attribute... because if you set it in the way the documentation describes you will not authorized at other devices using tacacs+.
  You have to set the attribute in this way :
  shell:* it's working for both switches / ACE
  shell:= this works only for the ACE
  Then the attribute is marked as optional and only the ACE cares about it.
  Regards Dirk

• Integrate Cisco ACE into AAA TACACS+

  Dear Community!
  I would like to configure Cisco ACE 4710 CLI and WebAmin to use ACS v4.2 TACACS+ authentication and accounting feature. After found a Cisco document, which describes ACE AAA features (http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/aaa.html), I have setup all configuration parameters mentioned in this document, everything seems to be OK.
  But...
  I have a TACACS+ group named "Network Administrators", which has privilege level 15 option enabled, so admins do not have to type enable password when authenticating. After setting up ACE AAA, the prvilege level 15 option stops working, while logging in Cisco routers: after authentication, the user remains in privilege level 1.
  Logging in Cisco switches seems to be OK, stepping immediately to level 15 as usual.
  I tried upgrading IOS in a router, but no luck...
  Does anybody have any experiance about this "bug"?
  Thanks in advance!
  Regards,
  Belabacsi
  @ Budapest, Hungary

  Hello Bela
  In ACE on every context (including Admin and other) you should have following strings:
  tacacs-server host x.x.x.x key 7 "xxx"
  tacacs-server host x.x.x.x key 7 "xxx"
  aaa group server tacacs+ MYTACACS
    server x.x.x.x
    server x.x.x.x
  aaa authentication login default group MYTACACS local
  aaa authentication login console group MYTACACS local
  aaa accounting default group x.x.x.x
  On ACS side for group named "Network Administrators" you should configure in TACACS settting:
  1. Shell (exec) enable
  2. Privilege level 15
  3. Custom attributes:
            shell:Admin*Admin default-domain
      if you have additional context add next line
            shell:mycontext*Admin default-domain
  After loging to ACE and issuing sh users command you should see following
  User            Context                                                                 Line     Login Time   (Location)        Role   Domain(s)   
  *adm-x       Admin                                                                   pts/0   Sep 21 12:24  (x.x.x.x)    Admin   default-domain
  Regards,
  Stas

• ACE - Setup AAA TACACS+ using CS Unix ACS

  Hi,
  I have setup AAA tacacs+ on ACE Admin context with RSA token. This is similar to AAA IOS setup.
  I can login but it does not allow me to do any commands.
  "show users", under Domain says I am logged in as "
  Network-Monitor default-domain".
  Any ideas how to get around and making myself as Admin group?
  Also is there any doco on setting AAA on ACE module using Cisco Secure For Unix ACS?
  Thanks
  Sanjay

  Hi,
  It did work as you suggested. I had to move user in [Root] as we have other Shell attributes in different groups.
  ct 16 15:18:29 c1 CiscoSecure: [ID 428912 local0.debug] DEBUG -
  Oct 16 15:18:29 c1 user = test2 {
  Oct 16 15:18:29 c1 service = shell {
  Oct 16 15:18:29 c1 set optional shell:Admin = "Admin Admin default-domain"
  Oct 16 13:18:29 c1 }
  Oct 16 13:18:29 c1 service = exec {
  Oct 16 13:18:29 c1 set optional shell:Admin = "Admin Admin default-domain"
  ACE-Admin/Admin# sh users
  User Context Line Login Time (Location) Role Domain(s)
  admin Admin pts/0 Oct 17 13:43 (127.0.0.71) Admin default-domain
  *test2 Admin pts/1 Oct 17 14:07 (a.b.c.d) Admin default-domain
  When I moved user in the support group with existing shell access configured, it dumps in network monitor mode. Maybe due to TACACS attribute inheritance. I did not want to stuff up existing support users.
  So I guess my option is to use RADIUS as login method.
  I am trying to get it going but the CS ACS Unix does not like :
  cisco-avpair = "shell:Admin=Admin default-domain;
  Oct 16 15:18:29 c1 radius = ACE_Admin_Pri {
  Oct 16 15:18:29 c1 check_items = {
  Oct 16 15:18:29 c1 200 = 1
  Oct 16 15:18:29 c1 }
  Oct 16 15:18:29 c1 reply_attributes = {
  Oct 16 15:18:29 c1 26 = "cisco-avpair=shell:Admin=Admin default-domain; "
  Oct 16 15:18:29 c1 6 = 6
  Oct 16 15:18:29 c1 }
  Oct 16 15:18:29 c1 }
  Now I get :
  [ID 901471 local0.warning] WARNING - RADIUS: Invalid attribute (1) in profile
  Oct 17 15:49:41 c1 CiscoSecure: [ID 347837 local0.warning] WARNING - RADIUS: Authenticate: from (10.17.1.4) -
  test2 failed
  It would be good to see if anyone else has tried this.
  sanjay

• ACE and TACACS+ auth

  I'm having to use the free TACACS+ in an environment to configure authentication for all the network devices.  I have all the routers and switches working just fine, but am having issue with getting the ACE to use TACACS.  I've configured ACE to authenticate to an ACS server by adding the additional shell custom attributes (shell:Admin*Admin default-domain) and this worked fine.  I found in some documentation on TACACS+ that described how to add this similar attribute to the tac_plus.conf file, but it doesn't seem to want to work. My aaa config from the ACE as well as the tac_plus.conf file content below.  I know the AAA is working with this TACACS server as the accounting functions properly.
  ACE AAA
  tacacs-server host 10.1.0.202 key 7 <removed>
  aaa group server tacacs+ TAC_AUTH
    server 10.1.0.202
  aaa authentication login default group TAC_AUTH local
  aaa authentication login console group TAC_AUTH local
  aaa accounting default group TAC_AUTH local
  tac_plus.conf
  # Accounting Logs
  accounting file = /data/tacacs.log
  # Server Key
  key = <removed>
  # ACL
  acl = auth_routers {
                        permit = .*
  # Groups
  group = admin {
      login = file /etc/passwd
      acl = auth_routers
      service = exec {
                       optional shell:Admin = "Admin default-domain"
  # Users
  user = admin1 {
       default service = permit
       member = admin
  user = admin2 {
       default service = permit
       member = admin
  user = admin3 {
       default service = permit
       member = admin

  Anyone?

• AAA TACACS with Brocade Switches

  We are testing authentication on Brocade switches with our AAA TACACS+ server.  It seems that after authenicating to enable mode, you can type "exit" and be dropped back to level 7 mode.  From this point you can type "enable" and authenticate to the switch using the local "enable" password, not from TACACS.  Has anyone run across this and is there a way to correct it?  Is there something that needs to be configured in TACACS on the server to recognise the Brocade switch and make this work?
  Ray

  Hi Ray,
  What ACS version you are using?
  On a cisco switch the following command is used:
  switch(config)# aaa authentication enable default tacacs+ enable
  The above command is used to set the TACACS+ as the default check for the enable password. If TACACS+ is not available it will fall back to the local enable password.
  You need to look into such option in the Brocade switch.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Urgent!!! Cisco ACE and asymetric routing assistance needed

  I am wondering if someone can give me pointers on the cisco ACE
  and asymetric routes. I've attached the diagram:
  -Cisco IOS IP address is 192.168.15.4/24 and 4.1.1.4/24
  -Firewall External interface is 192.168.15.1/24,
  -Firewall Internal interface is 192.168.192.1/24,
  -F5_BigIP External interface is 192.168.192.4/24,
  -F5_BigIP Internal interface is 192.168.196.1/24 and 192.168.197.1/24,
  -host_y has IP addresses of 192.168.196.10/24 and 192.168.197.10/24,
  -Checkpoint has static route for 192.168.196.0/24 and 192.168.197.0/24
  pointing to the F5_BigIP,
  -host_y is dual-home to both VLAN_A and VLAN_B with the default
  gateway on host_y pointing to VLAN_A which is 192.168.196.1,
  -host_x CAN ssh/telnet/http/https to both of host_y IP addresses
  of 192.168.196.10 and 192.168.197.10.
  In other words, from host_x, when I try to connect to host_y
  via IP address of 192.168.197.10, the traffics will go through VLAN_B
  but the return traffics will go through VLAN_A. Everything
  is working perfectly for me so far.
  Now customer just replaces the F5_BigIP with Cisco ACE. Now,
  I could not get it to work with Asymetric route with Cisco ACE. In
  other words, from host_x, I can no longer ssh or telnet to host_y
  via IP address of 192.168.197.10.
  Anyone knows how to get asymetric route to work on Cisco ACE?
  Thanks in advance.

  That won't work because ACE uses the vlan id to distinguish between flows.
  So when the response comes back on a different vlan, ACE can't find the flow it belongs to and it drops it.
  Even if we could force it to accept the packet, ACE would then try to create a new flow for this packet and it will collide with the flow already existing on the frontend.
  You would need to force your host to respond on the same vlan the traffic came in.
  This could be done with client nat on ACE using different nat pool.
  Gilles.

• It's my 3000 post – Oracle ACE and Oracle employees

  Hello,
  So, this is my post number 3000. In this forum, it’s not so unique, but still I decided to dedicate it to the subject of Oracle ACE and Oracle employees.
  Recently, Joel blogged about Carl awarded Oracle ACE (http://joelkallman.blogspot.com/2009/02/carl-backstrom-oracle-ace.html), after special efforts made by Sharon, because “the folks at the Oracle Technology Network decided that Oracle employees could no longer be awarded the ACE designation”. I truly wish I could write that Carl is a living proof of this decision being misguided. Unfortunately, I can’t. However, Carl’s case paints the situation in strong colors. Only after his death, Carl was honored with something that I’m sure seems so obvious to most of us.
  I’m thinking that if this decision, not to award Oracle employees with Oracle ACE, was made sooner, people like Scott and Joel would not have awarded Oracle ACE, not to mention Tom Kyte, and probably others I’m not familiar with. Scott and Joel deals with APEX all day long, as part of their job, and this forum is not part of their day job description. Still, they find the time to help us all. Just look at the post counter of Scott. I’m amazed each time I see it. Scott, with all his experience, doesn’t limit himself to only the most complicated issues. You can see his replies, to the most basic issues, almost every day. Joel never failed helping me, and many others on this forum, every time there is an issue only he can help with. Scott and Joel were lucky, and have been awarded Oracle ACE, prior to this decision. Carl was less lucky, and as Joel wrote, I can’t think of anyone who better represent the true meaning and spirit of the Oracle ACE program.
  The point I’m trying to make is that Oracle ACE should not be left for luck and timing, or place of work, for that matter. I’m sure that the OTN folks had best intensions when making this decision. I can understand that people might suspect favoritism toward Oracle employees; however, the solution shouldn’t be the easy one – no to every Oracle employee.
  While writing, I can think of Tyler. He’s no longer a member of the APEX team, but we can still enjoy his wisdom and experience on this forum, not to mention his APEX dedicated blog entries, were he covers special and more complex aspects of working with this tool. I don’t know if Tyler qualifies to become Oracle ACE (and, of course, I’m only using him as an example) but it seems wrong to me not to even consider it, just because he happens to work for Oracle. I’m sure there are others like Tyler, in the other forums. I believe that this kind of behavior, by Oracle employees, should be encouraged, and not taken for granted. Certainly, they shouldn’t be penalized.
  So, what all of this has to do with my 3000 posts? I believe I earned the right to call myself a frequent poster on this forum. As such, I know how time consuming this forum can be, not to mention the hard and tedious job of keep repeating the same answers to the same questions, keep pointing to old references, and such. So, I want to take this opportunity to thank all the active participants of this forum, Oracle employees and others. In spite of all the hardship, this forum can also be very rewarding, and at least for me, a very educated experience. I learned a lot in my attempts to help others. I can all heartedly recommend it to everyone who enjoys helping others, and enriching him /her self in the process.
  Regards,
  Arie.

  If I understand you correctly, you ought to reinstall. At this point, even if you're able to resurrect this installation, it might be severely unstable. Mostly because of my proclivity for messing around with settings until I screw something up, I have a tremendous amount of experience with the recovery console, and my success rate is not inspiring. If you have data you need on the drive, your best course of action is to reinstall to a different boot drive, and once you’re able to boot, archive the files you want from the corrupted installation. Then you can wax both drives, restore the data and get everything back the way you want it. Getting your data back from the recovery console is basically a lost cause since it doesn't support wildcards (as in, you'd have to copy every freaking file one at a time).
  I re-read the above paragraph, and it's not the clearest thing I've ever written, so if you need clarification on anything, let me know.

• Few people are "Oracle ACE" and "Java Champion"

  Few people are "Oracle ACE" and "Java Champion"
  What's whose icon ?:|
  I think that icon should not be only one.
  For instance,I am Pro (I have 570 points) and "Oracle ACE".
  Therefore I hope that My icons are "Pro" and "Oracle ACE".

  BluShadow wrote:
  can't you create an icon with the Java character holding an Ace?It reminds me of award icons (achievements) one gets on Steam and Xbox Live. My favourite - the award of getting a fair number of WW2 tank commanders that pop head-out-of-turret, as an infantry rifleman (with a puny bolt action rifle). Satisfaction getting the commander of a crew that that hides inside the belly of an armoured beast, that tries to turn my comrades and me into roadkill or a 1000 pieces exploding bits (or pixels to be more accurate)... ;-)
  One option here could be a signature line - that lay bares one's claim to fame, knowledge and experience. This is often standardise by community agreement on some web forums (the gamer ones often include clan tags and titles with h/w specs). Or something like GeekCode.
  Never really fancied that myself - but it could be fun putting an Oracle based geekcode together. ;-)

• 3rd party Certificate and AAA Authentication

  I am using a cisco asa5520 and i have set up remote access vpn with an AnyConnect connection profile.
  In the connection profile i have set up that users should authenticate using both certificate and AAA.
  Due to a high security requirement, the user certificate is issued from a 3rd party.
  This is working fine and the user now need a valid certificate and a username/password to authenticate successfully.
  I added the CA certificate as a associated trustpoint on the ASA box to get the certificate verification working.
  Problem:
  If Jane and Joe both have a valid certificate AND a valid username/password, Jane could authenticate using a combo of Joes certificate, and Janes username/password. Both are valid (isolated), but i only want jane to be able to authenticate with her username/password and her personal certificate.
  I got an idea that i could put the Serial Number of the users certificate on the user object in AD (on the users department field or something like that) and check if this value match during authentication.
  So, to sum things up, i want to compare the Serial Number (SER) field of the users certificate with a field on the user object in AD during authentication. As far as i can see the user would need a valid certificate and a valid username/password to authenticate. The user would also be authenticated only if the serial field match the value on the user object in AD.
  I am happy for any help that could point me in the right direction on how to accomplish this.
  Best regards,
  Kenneth

  I actually got a better idea, and i think this will work great!
  One of the guys at work pointed out that the sAMAAccountName is still used in many areas even though it is called pre-windows 2000.
  After some trying and failing i got the idea that should try to change the "Naming Attribute(s)" on the defined AAA (ldap) server under "AAA server groups".
  So i change the Naming attribute to "department", and put in the certificate serial number. I changed the connection profile and specified that it should use the "SER" value from the certificate as username. After that i tried to log in, and voila:
  [123] LDAP Search:
          Base DN = [dc=Testlab,dc=local]
          Filter  = [department=xxxx-xxxx-xxxxxxxxx]
          Scope   = [SUBTREE]
  [123] User DN = [CN=Peter Pan,OU=Wonderland,DC=testlab,DC=local]
  The ldap debug is clear, the ldap query during authentication is now searching for the user using the department field, and looking for the value of the serial number from my certificate.
  I wasnt quite happy about using the "department" field and i took a look at the user object looking for a more suitable attribute. To my surprise the user has got a "serialNumber" attribute, and it can hold multiple values. I changed the "Naming Attribute(s)" from "department" to "serialNumber" and added the serial number from the certificat to the "serialNumber" attribute on the user object:
  [138] LDAP Search:
          Base DN = [dc=Testlab,dc=local]
          Filter  = [serialNumber=xxxx-xxxx-xxxxxxxxx]
          Scope   = [SUBTREE]
  [138] User DN = [CN=Peter Pan,OU=Wonderland,DC=testlab,DC=local]
  Worked like a charm!
  I will settle for this solution, i cant see any issues regarding security, and it will be a breeze to admin. I will make a tool now so i can search for users in AD and update/view this attribute on the user objects.
  Thank you for the input Marcin

• Can anyone recommend a good document for Cisco IDS and AAA

  I need some basic tutorial for Cisco IDS and AAA. can anyone recommend any document for it?
  thanks

  The Cisco IDS/IPS senors do not perform any AAA functions. You can not validate a user/password externally.

• ACE and SSLM support Subject Alternative Name (SAN)

  Hi
  I want to  migrate Exchange server to Exchange 2010, I would like to know if ACE and SSLM support Subject Alternative Name (SAN).
  1.   Can the current CSM (WS-SVC-SSL-1-K9) support SSL certificates that have Subject Alternative Names? I.e. a certificate that has both of these names in it.
  a.       exchange.ww.edu
  b.       legexchange.ww.edu.
  2)      Can the new ACE( ACE20-MOD-K9) support SSL certificates that have Subject Alternative Names? I.e. a certificate that has both of these names in it:
  a.       exchange.ww.edu
  b.       legexchange.ww.edu
  Thanks
  Nomi

  I dont see anything in the config guide where the ACE can generate certs with SANs. However, if you are going to generate the cert and keys offline, then it might work. Can you supply a sample pkcs12 file in PEM format that I can test in the lab ? Which s/w version ?
  Matthew

• ACE 4710 A3(2.0) and ACS - TACACS+

  Hi.
  I am having trouble getting my ACE 4710 (A3(2.0) Build 3.0) to cooperate with my Cisco Secure ACS-server. In the same environment I have it working on my ACE Module, with the same configuration.
  ACE 4710:
  tacacs-server host 10.7.50.20 key 7 "fewhg"
  aaa group server tacacs+ tacacs_server_group
      server 10.7.50.20
      deadtime 15
  aaa authentication login default group tacacs_server_group local none
  aaa accounting default group tacacs_server_group local
  aaa authentication login error-enable
  ACS is configured correctly too. I have tried with several users, both in groups, with and without attributes and so forth. The ACS installation works with other devices and with my ACE modules running A2(3.1). I have tried this on both ACS 4.2(0).124 and 4.2(1).15.
  The strange part is what I see when I set up Wireshark on my ACS-server to look at the traffic. From what I can see, the ACE only sends a request to the AAA-server if the user exists locally. But I do not get authenticated and Failed Attempts show a line with with Message-Type: "Unknown NAS".
  It seems like others have the same problem. The problem is that the link attacked in the topic beneath only leads me back to forum and not to a topic with solution.
  https://supportforums.cisco.com/thread/132445?decorator=print&displayFullThread=true#132445
  Any help is appreciated and thanks in advance!

  are you using telnet or ssh ?
  if ssh can you try telnet, allow telent on your management policy to do this. Then if it works via telnet , then try ssh again, if it now works then you have hit CSCsu36078
  http://tools.cisco.com/squish/03240

• AAA, Tacacs+ and ACS

  I'm trying to use ACS (v4.1) to authenticate admin to our Cisco switches and also restrict access to particluar commands for particular users, I've done a lot of research on this but can't find a complete doucment that goes through it step by step.
  What I have so far on the switch is
  enable secret 5 removed
  username admin privilege 15 password 7 removed
  aaa authentication login default group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec default group tacacs+ local if-authenticated
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  The local admin logins in perfectly fine when the switch is not connected to the network.
  When I connect the switch to the network and login using my AD credentials it works a treat.
  When I try an login with a local ACS accout for testing which has Max Privilege for any AAA Client Level 1, Tacacs+ Settings Shell(exec) is ticked as is Privilege level and that's set at 1 also it logins in fine but when I try to go into exec mode it fails with errors below
  % Error in authentication.
  .Oct 25 14:19:20.288: %SYS-5-PRIV_AUTH_FAIL: Authentication to privilege level 15 failed by test on console
  I don't want test to go into exec mode as level 15 I want it to go in as level 1 or some other level other than 15 so I can control what commands it has access to through ACS.
  I'm at a loss to know why this isn't work so any help would be much appreciated.
  Thanks
  Jon

  The problem you are facing and the error you're seeing on ACS "max session exceeded" seems 2 different issues. I read that you don't wana try this with Max privilege and privilege level set to 15. However, if you want to restrict user to few commands on any IOS, that can't be done like this.
  You need to have command authorization enabled on the switch and command set on the ACS > shell command authorization. This is pretty common feature that we use day in day out.
  Yo need to set privilege level to 15 because we are using exec authorization on the switch and then follow this document.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  You would see few examples of read-only access and read-write access.
  You may also let me know what all command you would like to allow for read-only access.
  Please feel free to let me know if you need any further assistance.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Issue with ACS 4 and AAA. Port scan shows no Radius but does show tacacs

  to start I am new to ACS so if this is an easy issue to solve please forgive me. I am trying to get Authentication working with ACS 4. I setup everything according to the instructions and when I try to test authentication with VPN concentrator I get a No active server found error. I have tried using an Internal user to start and I also have tried an AD account. If I port scan the ACS server I do not see it advertising port 1645 but I do see Port 49 for tacacs and I also see Ports 2000-2002. CSRadius is running.

  Actually, to avoid any issues I made CSRadius listen on BOTH sets of ports :)
  So unless that got changed without my knowing it should be listening on 1645/6 and 1812/3
  Darra