topic Re: AAA Authentication Question in Storage Networking

AAA Authentication Question

kendo.igor — Sun, 08 Feb 2004 04:52:16 GMT

I'm using MDS 2916 and Cisco ACS 3.1.

I'm able to create user accounts in ACS who can successfully log on to MDS 2916 via telnet. However, thes user have "Network-operator" privileges. How can I give this TACACS+ user accounts "Network-admin" privileges.

Re: AAA Authentication Question

tblancha — Sun, 08 Feb 2004 23:52:58 GMT

The network-admin attribute will be passed to the MDS as an AV-Pair.

In order to do this, follow these steps:

1. go to your ACS server

2. select your user

3. All the way down there is a table named: TACACS+ Settings

4. Check Shell (exec) and Custom attributes

5. In the following edit box put this:

cisco-av-pair=shell:roles="network-admin"

This will return the role "network-admin" to the MDS for that specific

user.

Re: AAA Authentication Question

obrenes — Mon, 25 Oct 2004 20:28:22 GMT

I successfully modified my user and was authenticated as Network Admin in the MDS. However, when I try to log in into my routers I get the following message:

TAC+: Received Attribute "shell:roles="network-admin""

AAA/AUTHOR/EXEC: received unknown mandatory AV: shell:roles="network-admin"

AAA/AUTHOR/EXEC: Authorization FAILED

Do I have to create 1 user to administrate my routers and 1 user for my MDS?

Thanks for your help

Re: AAA Authentication Question

tblancha — Mon, 25 Oct 2004 21:50:27 GMT

Starting with 1.3.5 SAN-OS, you can apply the following in TACACs so a MDS user will get to be admin. However, the following does not interfere with the IOS enable privleges. In a nutshell, if you want it all to work together, upgrade the MDS's to 1.3.5 and in the server, use one of the following:

cisco-av-pair*shell:roles="network-admin"

cisco-av-pair*shell:roles*"network-admin"

cisco-av-pair=shell:roles*"network-admin"

cisco-av-pair=shell:roles="network-admin"

Re: AAA Authentication Question

Arueda — Wed, 10 Nov 2004 17:47:28 GMT

there is a fix to this on the new release of SanOS v 2.

you can not have both local and acs authentication working on SAnOs V1.3x. I reported the bug back in July of 2004 and finaly got fixed!

this is bug exists on MDs9K series but i would believe that it would apply to yours.

Re: AAA Authentication Question

obrenes — Thu, 11 Nov 2004 15:48:32 GMT

I applied the

cisco-av-pair*shell:roles="network-admin"

command in my TACACS settings and I have successfully logged in into my router and MDS 9K (OS 1.3.4a).

However, I have experienced some problems in the login process for the MDS (It seems like a bug). Sometimes it works and sometimes it doesn’t. Maybe it's the bug that ARueda is talking about (CSCee83961).

Pura Vida

Re: AAA Authentication Question

obrenes — Thu, 11 Nov 2004 16:03:31 GMT

Thanks for the info, it was very helpful.

Pura Vida

Re: AAA Authentication Question

Arueda — Thu, 11 Nov 2004 17:43:13 GMT

that is part of the bug, when you have a somewhat large cisco environment with multiple ethernet and fiber gear this becomes more clear. the bug does affect Cisco's IOS but given the large IOS base,it was easier to fix SanOS. I am going to load 2 on one of our production switches this weekend. if you want me to i can keep you posted.

Re: AAA Authentication Question

obrenes — Fri, 12 Nov 2004 15:17:10 GMT

Thank you, yes, please keep me posted.