topic Re: ACE 4700 and Cisco ACS aaa authentication in Application Networking

ACE 4700 and Cisco ACS aaa authentication

cisco24x7 — Fri, 10 Oct 2008 19:28:42 GMT

ACE version Software

loader: Version 0.95

system: Version A1(7b) [build 3.0(0)A1(7b)

Cisco ACS version 4.0.1

I am trying to authenticate admin users with AAA authentication for ACE management.

This is what I've done:

ACE-lab/Admin(config)# tacacs-server host 192.168.3.10 key 123456 port 49

warning: numeric key will not be encrypted

ACE-lab/Admin(config)# aaa group server tacacs+ cciesec

ACE-lab/Admin(config-tacacs+)# server ?

<A.B.C.D> TACACS+ server name

ACE-lab/Admin(config-tacacs+)# server 192.168.3.10

can not find the TACACS+ server

specified TACACS+ server not found, please configure it using tacacs-server host ... and then retry

ACE-lab/Admin(config-tacacs+)#

Why am I getting this error? I have full

connectivity between the ACE and the ACS

server. Furthermore, the ACS server

works fine with other Cisco IOS devices.

Please help. Thanks.

Re: ACE 4700 and Cisco ACS aaa authentication

cisco24x7 — Sun, 12 Oct 2008 19:59:30 GMT

Can any ACE gurus help me out here? Thanks.

Re: ACE 4700 and Cisco ACS aaa authentication

Gilles Dufour — Mon, 13 Oct 2008 06:34:16 GMT

the problem is the numeric key.

Change the key to something non-numeric.

Gilles.

Re: ACE 4700 and Cisco ACS aaa authentication

Gilles Dufour — Mon, 13 Oct 2008 07:17:39 GMT

BTW, I have created a new bug for this CSCsv04319 so we can make the error message more explicit or accept the key even if all numeric.

Not sure yet which we way we will go.

Thanks for reporting the problem.

Gilles.

Re: ACE 4700 and Cisco ACS aaa authentication

cisco24x7 — Mon, 13 Oct 2008 09:40:26 GMT

Thanks. Now I have another problem. I CAN

log into the ACE via tacacs+ account(s).

However, I get error when I try going into

configuration mode:

ACE-lab login: ngx1

Password:

Cisco Application Control Software (ACSW)

TAC support: http://www.cisco.com/tac

The copyrights to certain works contained herein are owned by

other third parties and are used and distributed under license.

Some parts of this software are covered under the GNU Public

License. A copy of the license is available at

http://www.gnu.org/licenses/gpl.html.

ACE-lab/Admin# conf t

% invalid command detected at '^' marker.

ACE-lab/Admin#

The ngx1 account can access other Cisco

routers/switches just fine and can go into

enable mode just fine. Only issue on the ACE.

Any ideas? Thanks.

Re: ACE 4700 and Cisco ACS aaa authentication

Gilles Dufour — Mon, 13 Oct 2008 10:09:40 GMT

ACE doesn't like the '=' in AV pair.

So you might have to do something like below to make sure you end up with the right role.

shell:Admin*Admin default-domain

instead of

shell:Admin=Admin default-domain

Re: ACE 4700 and Cisco ACS aaa authentication

cisco24x7 — Mon, 13 Oct 2008 10:24:28 GMT

where do I find that in Cisco ACS? I am not

using any AV pair.

Why is ACE so different that Cisco IOS

routers or ASA? If I am not configuring

AAA authorization on the device, why should

it matter with shell Admin

I also setup the grop which ngx1 account in

Cisco ACS, by default, is permitted to use

ALL services but it is not working either.

Re: ACE 4700 and Cisco ACS aaa authentication

Syed Iftekhar Ahmed — Mon, 13 Oct 2008 15:31:36 GMT

Please read One of my old post on this topic.

It has answers to your questions.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&topicID=.ee71a04&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cc10b80/3#selected_message

Thanks

Syed Iftekhar Ahmed

Re: ACE 4700 and Cisco ACS aaa authentication

cisco24x7 — Mon, 13 Oct 2008 16:47:39 GMT

Ok. This is what I did:

On your Tacacs Server

1. Select group that ngx1 user belongs to,

2. Scroll down to tacacs+ setting

3. check "shell(exec)" option

4. check "custom attributes"

5. In the custom attributes window add the custom AV-Pair info in the following format:

shell:Admin*Admin default-domain

restart ACS service.

Try to login again and same result.

Anyone know why?

Re: ACE 4700 and Cisco ACS aaa authentication

Syed Iftekhar Ahmed — Mon, 13 Oct 2008 17:04:57 GMT

Run the following command

show user-account

Within this command output what role do you see for the user you are logged in as.

Since its not working I suspect it would say

"Network Monitor" (default). If that is the

case then most likely cause is the Cisco AV-Pair information is not entered correctly.

Syed Iftekhar Ahmed

Re: ACE 4700 and Cisco ACS aaa authentication

cisco24x7 — Mon, 13 Oct 2008 17:50:14 GMT

ACE-lab/Admin# sh user-account | b ngx1

user:ngx1

roles: Network-Monitor

domain: default-domain

Context: Admin

account created through REMOTE authentication

Local login not possible

ACE-lab/Admin#

Now how do I go about fixing it? I followed

the instructions you suggested steps by steps.

Re: ACE 4700 and Cisco ACS aaa authentication

cisco24x7 — Wed, 15 Oct 2008 11:29:19 GMT

Can gurus in this forum help me resolve this

issue? Thank you.

Re: ACE 4700 and Cisco ACS aaa authentication

Gilles Dufour — Wed, 15 Oct 2008 11:56:19 GMT

if your ACS setup has the correct line

shell:Admin*Admin default-domain with the correct names (case sensitive) then it should work.

If everything looks good do

debug aaa aaa-req

debug aaa events

debug aaa error

Try to login and see what you get.

Gilles.

Re: ACE 4700 and Cisco ACS aaa authentication

cisco24x7 — Wed, 15 Oct 2008 12:35:46 GMT

I can log in fine with the AAA credential but

I can NOT run any debug aaa commands:

ACE-lab login: ngx1

Password:

Cisco Application Control Software (ACSW)

TAC support: http://www.cisco.com/tac

The copyrights to certain works contained herein are owned by

other third parties and are used and distributed under license.

Some parts of this software are covered under the GNU Public

License. A copy of the license is available at

http://www.gnu.org/licenses/gpl.html.

ACE-lab/Admin# conf t

% invalid command detected at '^' marker.

ACE-lab/Admin# debug aaa aaa-req

% invalid command detected at '^' marker.

ACE-lab/Admin#

Re: ACE 4700 and Cisco ACS aaa authentication

cisco24x7 — Wed, 15 Oct 2008 12:43:02 GMT

the debug AAA reveals in the attachment. Can

someone help?

Re: ACE 4700 and Cisco ACS aaa authentication

Gilles Dufour — Wed, 15 Oct 2008 12:43:46 GMT

you do not have any other access to the device ?

What about console ? Do you also run tacacs on console ?

Re: ACE 4700 and Cisco ACS aaa authentication

cisco24x7 — Wed, 15 Oct 2008 16:21:19 GMT

This is what I did:

1- configure AAA configuration on the ACE box,

2- go to my Cisco ACS and stop the ACS service.

That enables me to log into the ACE box with

"admin/admin",

3- enable Cisco ACS service on the ACS server,

4- Now I can log into the ACE box with ngx1

account. However, I can not go into the

"conf t" mode.

Re: ACE 4700 and Cisco ACS aaa authentication

cisco24x7 — Thu, 16 Oct 2008 10:16:13 GMT

Can anyone help? Thanks in advance.

Re: ACE 4700 and Cisco ACS aaa authentication

Gilles Dufour — Thu, 16 Oct 2008 10:39:51 GMT

next thing is to get a sniffer trace of the TACACS exchange.

We'll need the key to decode.

You can also try to upgrade to A1(8a) or A3(1.0).

Finally, a service request with the TAC seems appropriate.

Gilles.

Re: ACE 4700 and Cisco ACS aaa authentication

rtanner — Fri, 31 Oct 2008 01:02:13 GMT

I found the following in the ACE 4700 release notes:

CSCsl48103-When the ACE is configured for TACACS+ authentication with a user context and the Cisco ACS sends the cisco-av-pair* attribute before the ACE custom shell attribute, you cannot log in to the ACE via TACACS+ and use the Admin role. Workaround: Do not use the ACE TACACS+ authentication for an Admin role. If you must use TACACS+ authentication for an Admin role, do not configure the Cisco ACS to send the cisco-av-pair* attribute.

www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/A1_x/release/note/RACEA1X.html

HTH

Ross