10-10-2008 12:28 PM
ACE version Software
loader: Version 0.95
system: Version A1(7b) [build 3.0(0)A1(7b)
Cisco ACS version 4.0.1
I am trying to authenticate admin users with AAA authentication for ACE management.
This is what I've done:
ACE-lab/Admin(config)# tacacs-server host 192.168.3.10 key 123456 port 49
warning: numeric key will not be encrypted
ACE-lab/Admin(config)# aaa group server tacacs+ cciesec
ACE-lab/Admin(config-tacacs+)# server ?
<A.B.C.D> TACACS+ server name
ACE-lab/Admin(config-tacacs+)# server 192.168.3.10
can not find the TACACS+ server
specified TACACS+ server not found, please configure it using tacacs-server host ... and then retry
ACE-lab/Admin(config-tacacs+)#
Why am I getting this error? I have full
connectivity between the ACE and the ACS
server. Furthermore, the ACS server
works fine with other Cisco IOS devices.
Please help. Thanks.
10-15-2008 05:43 AM
you do not have any other access to the device ?
What about console ? Do you also run tacacs on console ?
G.
10-15-2008 09:21 AM
This is what I did:
1- configure AAA configuration on the ACE box,
2- go to my Cisco ACS and stop the ACS service.
That enables me to log into the ACE box with
"admin/admin",
3- enable Cisco ACS service on the ACS server,
4- Now I can log into the ACE box with ngx1
account. However, I can not go into the
"conf t" mode.
10-16-2008 03:16 AM
Can anyone help? Thanks in advance.
10-16-2008 03:39 AM
next thing is to get a sniffer trace of the TACACS exchange.
We'll need the key to decode.
You can also try to upgrade to A1(8a) or A3(1.0).
Finally, a service request with the TAC seems appropriate.
Gilles.
10-30-2008 06:02 PM
I found the following in the ACE 4700 release notes:
CSCsl48103-When the ACE is configured for TACACS+ authentication with a user context and the Cisco ACS sends the cisco-av-pair* attribute before the ACE custom shell attribute, you cannot log in to the ACE via TACACS+ and use the Admin role. Workaround: Do not use the ACE TACACS+ authentication for an Admin role. If you must use TACACS+ authentication for an Admin role, do not configure the Cisco ACS to send the cisco-av-pair* attribute.
HTH
Ross
10-31-2008 05:34 AM
Are you saying that I do NOT need in Cisco ACS:
shell:Admin*Admin default-domain
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide