ACE TACACS authentication

thai.nguyen · ‎04-04-2011

Hi,

I am having few questions with setting the RBAC on an ACE with an ACS (AAA servers).

1. Custom attributes: according to the config guide, the following string must be specified in the customer attribute.

eg. shell:Admin=Admin default-domain. This does include the ACE name so it can be any Admin VC. This means a user with the group can access all Admin VC?

2. When an user VC talks to an ACS, does it use the Context name as the hostname (AAA client) when configure the network configuration in ACS?

litrenta · ‎04-19-2011

Each virtual context can be configured with TACACS separately. when you configure:

shell:Admin=Admin default-domain

and set management ip of Admin context as the device in ACS then a user logging into Admin can do a changeto and get into that context with Admin rights.

But let's say that we have a context named TEST and we want to set up a group of users who only have admin rights for test.

we set up the context to do tacacs (define server aaa authentication etc)

we put the management ip as a new device in ACS

we define the tacacs properties for the group as:

shell:TEST=Admin default-domain

you can use multiple lines in the group or user defining different roles for different contexts, the trick is each context would be configured for tacacs and defined in tacacs as separate devices in ACS.

if you login to the Admin context with Admin rights only Admin context talks to ACS there is no further authentication done when you do a changeto.

when you login directly to contexts those contexts talk to ACS and are identified by IP address of device you added as AAA client IP in network config screen of ACS.