ACE - Setup AAA TACACS+ using CS Unix ACS

Hi,
I have setup AAA tacacs+ on ACE Admin context with RSA token. This is similar to AAA IOS setup.
I can login but it does not allow me to do any commands.
"show users", under Domain says I am logged in as "
Network-Monitor default-domain".
Any ideas how to get around and making myself as Admin group?
Also is there any doco on setting AAA on ACE module using Cisco Secure For Unix ACS?
Thanks
Sanjay

Hi,
It did work as you suggested. I had to move user in [Root] as we have other Shell attributes in different groups.
ct 16 15:18:29 c1 CiscoSecure: [ID 428912 local0.debug] DEBUG -
Oct 16 15:18:29 c1 user = test2 {
Oct 16 15:18:29 c1 service = shell {
Oct 16 15:18:29 c1 set optional shell:Admin = "Admin Admin default-domain"
Oct 16 13:18:29 c1 }
Oct 16 13:18:29 c1 service = exec {
Oct 16 13:18:29 c1 set optional shell:Admin = "Admin Admin default-domain"
ACE-Admin/Admin# sh users
User Context Line Login Time (Location) Role Domain(s)
admin Admin pts/0 Oct 17 13:43 (127.0.0.71) Admin default-domain
*test2 Admin pts/1 Oct 17 14:07 (a.b.c.d) Admin default-domain
When I moved user in the support group with existing shell access configured, it dumps in network monitor mode. Maybe due to TACACS attribute inheritance. I did not want to stuff up existing support users.
So I guess my option is to use RADIUS as login method.
I am trying to get it going but the CS ACS Unix does not like :
cisco-avpair = "shell:Admin=Admin default-domain;
Oct 16 15:18:29 c1 radius = ACE_Admin_Pri {
Oct 16 15:18:29 c1 check_items = {
Oct 16 15:18:29 c1 200 = 1
Oct 16 15:18:29 c1 }
Oct 16 15:18:29 c1 reply_attributes = {
Oct 16 15:18:29 c1 26 = "cisco-avpair=shell:Admin=Admin default-domain; "
Oct 16 15:18:29 c1 6 = 6
Oct 16 15:18:29 c1 }
Oct 16 15:18:29 c1 }
Now I get :
[ID 901471 local0.warning] WARNING - RADIUS: Invalid attribute (1) in profile
Oct 17 15:49:41 c1 CiscoSecure: [ID 347837 local0.warning] WARNING - RADIUS: Authenticate: from (10.17.1.4) -
test2 failed
It would be good to see if anyone else has tried this.
sanjay

Similar Messages

  • Integrate Cisco ACE into AAA TACACS+

    Dear Community!
    I would like to configure Cisco ACE 4710 CLI and WebAmin to use ACS v4.2 TACACS+ authentication and accounting feature. After found a Cisco document, which describes ACE AAA features (http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/aaa.html), I have setup all configuration parameters mentioned in this document, everything seems to be OK.
    But...
    I have a TACACS+ group named "Network Administrators", which has privilege level 15 option enabled, so admins do not have to type enable password when authenticating. After setting up ACE AAA, the prvilege level 15 option stops working, while logging in Cisco routers: after authentication, the user remains in privilege level 1.
    Logging in Cisco switches seems to be OK, stepping immediately to level 15 as usual.
    I tried upgrading IOS in a router, but no luck...
    Does anybody have any experiance about this "bug"?
    Thanks in advance!
    Regards,
    Belabacsi
    @ Budapest, Hungary

    Hello Bela
    In ACE on every context (including Admin and other) you should have following strings:
    tacacs-server host x.x.x.x key 7 "xxx"
    tacacs-server host x.x.x.x key 7 "xxx"
    aaa group server tacacs+ MYTACACS
      server x.x.x.x
      server x.x.x.x
    aaa authentication login default group MYTACACS local
    aaa authentication login console group MYTACACS local
    aaa accounting default group x.x.x.x
    On ACS side for group named "Network Administrators" you should configure in TACACS settting:
    1. Shell (exec) enable
    2. Privilege level 15
    3. Custom attributes:
              shell:Admin*Admin default-domain
        if you have additional context add next line
              shell:mycontext*Admin default-domain
    After loging to ACE and issuing sh users command you should see following
    User            Context                                                                 Line     Login Time   (Location)        Role   Domain(s)   
    *adm-x       Admin                                                                   pts/0   Sep 21 12:24  (x.x.x.x)    Admin   default-domain
    Regards,
    Stas

  • ACE and AAA (TACACS) part 2

    Hi there,
    i have configuerd my acs with an custom attribute : shell:Admin=Admin. AAA with the ACE works fine... But now i can't login into my switches :-( i got the massage authorization failed. Here is the aaa debug from the switch :
    Jul 12 13:41:38.433 UTC: AAA: parse name=tty2 idb type=-1 tty=-1
    Jul 12 13:41:38.441 UTC: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
    Jul 12 13:41:38.441 UTC: AAA/MEMORY: create_user (0x16E1F28) user='NULL' ruser='NULL' ds0=0 port='tty2' rem_addr='*******' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
    Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): Port='tty2' list='' service=EXEC
    Jul 12 13:41:44.590 UTC: AAA/AUTHOR/EXEC: tty2 (945064986) user='*******'
    Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): send AV service=shell
    Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): send AV cmd*
    Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): found list "default"
    Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): Method=tacacs+ (tacacs+)
    Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): user=*******
    Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): send AV service=shell
    Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): send AV cmd*
    Jul 12 13:41:44.799 UTC: AAA/AUTHOR (945064986): Post authorization status = PASS_ADD
    Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV service=shell
    Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV cmd*
    Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15
    Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV shell:Admin=Admin
    Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: received unknown mandatory AV: shell:Admin=Admin
    Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Authorization FAILED
    Jul 12 13:41:46.804 UTC: AAA/MEMORY: free_user (0x16E1F28) user='*******' ruser='NULL' port='tty2' rem_addr='*******' authen_type=AS
    Any idea what's wrong ??
    Best regards Dirk

    Hi ,
    i've got the following info from a user here in the forum :
    http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_guide_chapter09186a0080686bbb.html#wp1519045
    [quote]
    The user profile attribute serves an important configuration function configuration for a TACACS+ server group. If the user profile attribute is not obtained from the server during authentication, or if the profile is obtained from the server but the context name(s) in the profile do not match the context in which the user is trying to log in, the default role (Network-Monitor) and default domain (default-domain) will be assigned to the user provided the authentication is successful.
    [quote end]
    In this way i configured the ACS...
    Be carefull with the attribute... because if you set it in the way the documentation describes you will not authorized at other devices using tacacs+.
    You have to set the attribute in this way :
    shell:* it's working for both switches / ACE
    shell:= this works only for the ACE
    Then the attribute is marked as optional and only the ACE cares about it.
    Regards Dirk

  • ACE and AAA (TACACS+)

    Hi there,
    i have configuerd my acs with an custom attribute : shell:Admin=Admin. AAA with the ACE works fine... But now i can't login into my switches :-( i got the massage authorization failed. Here is the aaa debug from the switch :
    Jul 12 13:41:38.433 UTC: AAA: parse name=tty2 idb type=-1 tty=-1
    Jul 12 13:41:38.441 UTC: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
    Jul 12 13:41:38.441 UTC: AAA/MEMORY: create_user (0x16E1F28) user='NULL' ruser='NULL' ds0=0 port='tty2' rem_addr='*******' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
    Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): Port='tty2' list='' service=EXEC
    Jul 12 13:41:44.590 UTC: AAA/AUTHOR/EXEC: tty2 (945064986) user='*******'
    Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): send AV service=shell
    Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): send AV cmd*
    Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): found list "default"
    Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): Method=tacacs+ (tacacs+)
    Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): user=*******
    Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): send AV service=shell
    Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): send AV cmd*
    Jul 12 13:41:44.799 UTC: AAA/AUTHOR (945064986): Post authorization status = PASS_ADD
    Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV service=shell
    Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV cmd*
    Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15
    Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV shell:Admin=Admin
    Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: received unknown mandatory AV: shell:Admin=Admin
    Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Authorization FAILED
    Jul 12 13:41:46.804 UTC: AAA/MEMORY: free_user (0x16E1F28) user='*******' ruser='NULL' port='tty2' rem_addr='*******' authen_type=AS
    Any idea what's wrong ??
    Best regards Dirk

    Hi Prem,
    thanks a lot. it's working now...
    FYI i need this attribute for role mapping USER<>ROLE in the ACE.
    http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_guide_chapter09186a0080686bbb.html#wp1519045
    Can you give me a link where i found the information you gave me.
    Best regards
    Dirk

  • Aaa authentication using tacacs+ for LAP

    WIth Autonomous AP, you can configure aaa authtentication using Tacacs+.
    In lightweight AP, do u have similar function where u authenticate using tacacs+ when u telnet/ssh into the LAP after it is registered to the WLC?
    Rgds
    Eng Wee

    There really isn't anything you can do on the LAP through telnet/ssh.  You can enable TACACS for access to the controller.
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml

  • AAA Authorization Using Local Database

    Hi Guys,
    I'm planning to use AAA authorization using local database. I have read already about it, I have configured the AAA new-model command and I have setup user's already. But I'm stuck at the part where I will already give certain user access to certain commands using local database. Hope you can help on this.
    FYI: I know using ACS/TACACS+/RADIUS is much more easy and powerful but my company will most likely only use local database.

    For allowing limited read only access , use this example,
    We need these commands on the switch
    Switch(config)#do sh run | in priv
    username admin privilege 15 password 0 cisco123!
    username test privilege 0 password 0 cisco
    privilege exec level 0 show ip interface brief
    privilege exec level 0 show ip interface
    privilege exec level 0 show interface
    privilege exec level 0 show switch
    No need for user to login to enable mode. All priv 0 commands are now there in the user mode. See below
    User Access Verification
    Username: test
    Password:
    Switch>show ?
    diagnostic Show command for diagnostic
    flash1: display information about flash1: file system
    flash: display information about flash: file system
    interfaces Interface status and configuration
    ip IP information
    switch show information about the stack ring
    Switch>show switch
    Switch/Stack Mac Address : 0015.f9c1.ca80
    H/W Current
    Switch# Role Mac Address Priority Version State
    *1 Master 0015.f9c1.ca80 1 0 Ready
    Switch>show run
    ^
    % Invalid input detected at '^' marker.
    Switch>show aaa server
    ^
    % Invalid input detected at '^' marker.
    Switch>show inter
    Switch>show interfaces
    Vlan1 is up, line protocol is up
    Hardware is EtherSVI, address is 0015.f9c1.cac0 (bia 0015.f9c1.cac0)
    Internet address is 192.168.26.3/24
    MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
    reliability 255/255, txload 1/255, rxload 1/255
    Switch>
    Please check this link,
    http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
    Regards,
    ~JG
    Do rate helpful posts

  • AAA TACACS with Brocade Switches

    We are testing authentication on Brocade switches with our AAA TACACS+ server.  It seems that after authenicating to enable mode, you can type "exit" and be dropped back to level 7 mode.  From this point you can type "enable" and authenticate to the switch using the local "enable" password, not from TACACS.  Has anyone run across this and is there a way to correct it?  Is there something that needs to be configured in TACACS on the server to recognise the Brocade switch and make this work?
    Ray

    Hi Ray,
    What ACS version you are using?
    On a cisco switch the following command is used:
    switch(config)# aaa authentication enable default tacacs+ enable
    The above command is used to set the TACACS+ as the default check for the enable password. If TACACS+ is not available it will fall back to the local enable password.
    You need to look into such option in the Brocade switch.
    HTH
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • How to setup a print spool  in UNIX

    Hi support, i am new to basis and to sdn..
      could you please help me with how to setup a print spool  in UNIX.
    Thank you
    Martin

    Message 1 :
    On UNIX:
    1.     Login as sidadm
    2.     Su - root
    3.     Execute "jetadmin" (or use u201Csamu201D if you are familiar with it).
    4.     Select option 1
    5.     Select option 3
    6.     Enter the IP address of the printer
    7.     Select option 1 again and assign an appropriate queue name
    8.     Follow the instructions to complete
    9.     "lpstat -t"  to confirm the printer is enabled
    10.     Setup on R3
    Message 2:
    On SAP
    1.     Transaction u201CSPADu201D
    2.     Switch to change mode
    3.     Chose Output Device
    4.     Select Printer you want to create/copy/change
    5.     To use or by pass DAZEL:
    1.     use Dazel:
    a.     Host Spool Access Method: E
    b.     Host Printer: 1_usbprint03_xxxxxx
    c.     Logical OMS: R3 SID Dazel LOMS
    2.     by pass Dazel:
    a.     Host Spool Access Method: L
    b.     Host Printer: (queue name on UNIX Spool)
    To test printing, try to print something (i.e. spool server list) and go to  Transaction u201CSP01u201D to change the result.

  • Setup Problem HP6830 using Hotspot for Printer & Laptop

    I have a TMobile Hotspot that gives me internet access for my laptop.I have a HP Officejet Pro that I just got and I'm trying to set it up on the Hotspot network.I've installed (via disk) the HP Software on my Toshiba Coimputer.I've gone through the setup process on the printer and it shows I'm connected to the Hotspot Network.When I try to go through the setup process on the computer it says it can't find that printer.I've checked - over and over again - the IP, and printed everything out (Config Page & Network TestResults) on the Printer, and it indicates everything is OK. My question is - Why can't my computer find the computer (they're both on the same Hotspot Network)?I don't have a USB Cable right now, and I'm trying to set it up wirelessly.  Any suggestion about what I might have missed?  Any help would be appreciated

    Hey ,  Welcome to the HP Support Forum.  I understand you're encountering some setup issues when using your HP Officejet Pro 6830 e-All-in-One Printer with a mobile hot spot.  I would like to assist you with this.   In my experience, mobile hotspots are hit and miss when used to support printers' wireless connections, even when the setup's are completed with diligence and care on the part of the user.  This caveat aside, as there are no official documents from HP on how to troubleshoot this particular issue, I recommend  toggling airplane mode on your T-Mobile device before restoring the hotspot connection.  Try the printer to laptop connection via the software as before, once you've confirmed the laptop's connected to the hotspot.  If this approach falls short, you could try the alternative and HP supported wireless direct setup method.  Here's how: From your printer's front panel touch the Wireless Direct icon ()Turn Wireless Direct OnFrom here you can choose to have it enabled with Security On or Off.  If you turn Security On, make a note of the passcode (it'll come in handy later).To learn how to complete the setup on your computer and any other mobile devices, click here for more instructions. Please let me know the result of your troubleshooting by responding to this post.  If I have helped you resolve the issue, feel free to give me a virtual high-five by clicking the 'Thumbs Up' icon below and clicking to accept this solution. Thank you for posting in the HP Support Forum.  Have a great day!

  • How to change the print page setup in IE using javascript

    dear all,
    I want to take print out envelope paper size, so i want to chnage the page setup in IE
    i want to change the print page setup in IE using javascript

    I think, you can do this using CSS.
    http://support.sas.com/rnd/base/ods/templateFAQ/Template_csstyle.html

  • What easy setup do I use for the Canon A1 1080i60?

    What easy setup do I use for the Canon A1 1080i60?

    I called tech support and they were no help.
    G5   Mac OS X (10.4.9)  

  • Document on 10g RAC setup on solaris using vmware

    Hi All,
    I am planning to setup "Oracle 10g RAC setup on Solaris using vmware", but I am strucked up at installation of Soaris 10 in VMWare.
    Can any body please help/provide me the document on Solaris 10 installation for RAC setup .
    The main problems I am having during the SOlaris 10 setup is
    1) Setting up the static public and private addresses required for RAC
    2) Partitioning the disk space.
    Thanks in advance,
    Mahipal Reddy

    Refer these,
    http://www.scribd.com/doc/15650880/Install-Rac-on-Solaris-Vmware
    http://www.disperu.com/using-vmware-server-install-10g-rac-on-solaris/
    http://nayyares.blogspot.com/2008/11/step-by-step-rac-10g-r2-solaris-10.html
    Thanks
    Edited by: Cj on Dec 13, 2010 2:38 AM

  • Schedule workbook using with Unix shell script

    Hi,
    Can we schedule workbook using with Unix shell script?
    Thanks,
    Jay

    I can't imagine how.
    1. You can schedule Disco workbooks via Disco itself.
    2. You can schedule Disco workbooks to run and output in different file formats automatically via batch scheduler in Windows running Disco Desktop directly (or can user VBasic).
    3. You can schedule Disco workbooks to run and output in different file formats automatically via a Java program running the Java Command Line interface.
    Moving forward, Oracle has announced that with a further interfacing of Disco with XML Publisher, you'll be able to use Oracle Apps concurrent manager and scheduling. But that's coming supposedly at the end of this year.
    And I think that's about it.
    Russ

  • HT5552 I am unable to setup payment method using American Express.

    I am unable to setup payment method using American Express.

    Contact iTunes Customer Service and request assistance
    Use this Link  >  Apple  Support  iTunes Store  Contact

  • Opendataset is used for Unix Server or windows server

    Hi Experts
                              Opendataset statement is used for Unix app.server or Windows App.server?

    Hi,
    Doesn't matter, same statment is used for all operating systems.
    regards,
    Advait

Maybe you are looking for

  • My "fix" to print problems in LR (using MS XP)

    Having had the same problems printing from LR as many others are complaining about, I thought that I might give my 2 cents to what I did to solve (?) the problem. I have to run with current setting in a while to be convinced that it is not just an in

  • Why Are My Apps Not Syncing

    I just updated my iPad software, synced iTunes, and the preview shows the apps on my iPad, but when the sync is complete, I'm not seeing the apps on the iPad.  Secondarily, from iTunes, I can't click "sync apps" when I have the iPad plugged into the

  • LMS 4.2.3 Server high CPU Utilization

    Hi All, We are observing high CPU utilization on the lms server. tomcat is the process eating more than 1GB of the memory i checked from the task manager. Server details: device license : 100 windows server 2k8 R2, with 8gb physical memory. anybody s

  • Why can't I fast forward my podcasts?

    I've just installed the new (disastrous) version of iTunes and I can't fast forward my episodes! This means that if I don't listen/watch an episode until the end and just click on something else on iTunes (for example, another episode of another podc

  • What Is "Silent Boot" And How Do I Enable It?

    Hey, I was wondering, My friend has an MSI MOBO, and when he turns his computer on, insead of listing all of that technical crap, it says in a full screen, MSI -- Link To The Future  he has an AMI Bios. I want my motherboard to say that too,  , so i