topic Re: AAA on ACE in Application Networking

AAA on ACE

akhil.abrol — Thu, 16 Jul 2009 06:15:52 GMT

Dear experts,

I need to enable aaa authentication on Cisco ACE 4710 and unable to do that. Please help me with this.

Here is the config i have done on the ACE.

tacacs-server key 7 "vdepw@cffgG1tplDU"

tacacs-server host 172.18.124.20 key 7 "vdepw@cffgG1tplDU"

tacacs-server host 172.18.124.21 key 7 "vdepw@cffgG1tplDU"

aaa group server tacacs+ TACACS+_Server_Group1

server 172.18.124.20

server 172.18.124.21

aaa authentication login default group TACACS+_Server_Group1 local

aaa authentication login error-enable

I added the entry for ACE in ACS but still its not authenticating.

Regards,

Akhil

Re: AAA on ACE

dario.didio — Thu, 16 Jul 2009 06:32:14 GMT

Hi,

Are the ACS IP Addresses reachable from your ACE?

Do you see failed attempts on your ACS?

Is your Tacacs server using port 49, which is used by the ACE by default?

HTH,

Dario

Re: AAA on ACE

akhil.abrol — Thu, 16 Jul 2009 06:35:02 GMT

Yes, ACS is reachable from all 4 ACEs. I specifically opened a policy in the firewall to check the traffic.

I cant see any failed attempts and yes the ACS server is using default port 49. i did a telnet test from ACE to ACS in 49 and it was successful.

Regards,

Akhil

Re: AAA on ACE

mherald — Thu, 16 Jul 2009 19:10:54 GMT

By not working, what do you mean? FOr example, does your username/password not work at all? Or the username/password does work but with limited privs?

If it is the second case, in the ACS, dont forget to add the TACACS+ Settings / Custom Attributes:

shell:Admin*Admin default-domain (for default).

Note - if you are doing IOS authorization on any other device which this user is a part of, ensure the "*" is there or you may get the ACE AAA functional, but now IOS devices will give you fits.

Re: AAA on ACE

akhil.abrol — Fri, 17 Jul 2009 05:41:49 GMT

Yes, its the second case.

I can login with my AAA credentials but not previleged.

Please clear this a little more.

If it is the second case, in the ACS, dont forget to add the TACACS+ Settings / Custom Attributes:

shell:Admin*Admin default-domain (for default).

In Tacacs+ settings, where do i have make thses changes?

Regards,

Akhil

Re: AAA on ACE

Syed Iftekhar Ahmed — Fri, 17 Jul 2009 06:52:51 GMT

You have to use a custom AV pair on TACACS server under user setup to make it work. ACE uses RBAC (role based Access Control) and for that you have to pass the context and User Role from Tacacs server to ACE to make it work.If there is no RBAC info is pushed from Tacacs server and user just get authenticated then the default role assigned by ACE is Network-Monitor.

Following steps (On tacacs server) will make it work

1. Select your user

2. goto tacas+ settings

3. Select " shell (exec)" checkbox

4. Select "custom attributes" checkbox

5. Type your context and role information in custom attrib box, using following format

shell:*

for e.g (if context name is Admin, domain is default-domain and you want to assign role "Admin" to this user )

shell:Admin*Admin default-domain

For more information

Please read One of my old post on this topic.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&topicID=.ee71a04&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cc10b80/3#selected_message

Hope it helps

Syed Iftekhar Ahmed

Re: AAA on ACE

akhil.abrol — Fri, 17 Jul 2009 07:24:58 GMT

Thats why i wrote dear "Experts" 🙂 🙂 🙂 🙂

Actually the custom attributes option was not enabled in the interface configuration. So i searched it and checked it there..

Thanks for the help. 🙂

Akhil

Re: AAA on ACE

akhil.abrol — Sat, 18 Jul 2009 06:42:17 GMT

Hi,

After doing the changes, i cannot loging to my other network devices. Is there a way out for this or I need to create a seperate ID for ACE.?

Akhil