06-09-2010 07:39 AM
I'm having to use the free TACACS+ in an environment to configure authentication for all the network devices. I have all the routers and switches working just fine, but am having issue with getting the ACE to use TACACS. I've configured ACE to authenticate to an ACS server by adding the additional shell custom attributes (shell:Admin*Admin default-domain) and this worked fine. I found in some documentation on TACACS+ that described how to add this similar attribute to the tac_plus.conf file, but it doesn't seem to want to work. My aaa config from the ACE as well as the tac_plus.conf file content below. I know the AAA is working with this TACACS server as the accounting functions properly.
ACE AAA
tacacs-server host 10.1.0.202 key 7 <removed>
aaa group server tacacs+ TAC_AUTH
server 10.1.0.202
!
aaa authentication login default group TAC_AUTH local
aaa authentication login console group TAC_AUTH local
aaa accounting default group TAC_AUTH local
tac_plus.conf
#----------------------------------------------------------------------#
# Accounting Logs
#----------------------------------------------------------------------#
accounting file = /data/tacacs.log
#----------------------------------------------------------------------#
# Server Key
#----------------------------------------------------------------------#
key = <removed>
#----------------------------------------------------------------------#
# ACL
#----------------------------------------------------------------------#
acl = auth_routers {
permit = .*
}
#----------------------------------------------------------------------#
# Groups
#----------------------------------------------------------------------#
group = admin {
login = file /etc/passwd
acl = auth_routers
service = exec {
optional shell:Admin = "Admin default-domain"
}
}
#----------------------------------------------------------------------#
# Users
#----------------------------------------------------------------------#
user = admin1 {
default service = permit
member = admin
}
user = admin2 {
default service = permit
member = admin
}
user = admin3 {
default service = permit
member = admin
}
08-11-2010 12:10 PM
Anyone?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide