ACE Virtual context -TACACS authentication issue

parveesm123 · ‎03-28-2011

Hello All,

I have configured four context in ACE module.

I am trying to authenticate individual context through ACS.

Admin context authentication is working perfectly fine , and it is assigning the role of Admin for all the ACS users.

But when i am trying to authenticate other context , authentication part is working fine. but the user is not able to do any action other than show commands.

when i checked the user-account ( show user-account), it is given the role of Network-Admin .

Admin Context Output:

---------------------------------

user:parvees.m

roles: Admin

domain: default-domain

Context: Admin

Context ABC output

-----------------------------

user:parvees.m

roles: Network-Admin

domain: default-domain

Context: ABC

Any help is highly appreciated.

regards,

Parvees M

ohynderi · ‎03-28-2011

Hello Parvees,

What value did you set to shell attrribute on your ACS? It should be like:

shell:ABC=Admin

If you take a capture (wireshark with your tacas secret), do you see this attribute-value being sent?

Thanks,

Olivier

parveesm123 · ‎03-28-2011

Hi Oliver,

ACS shell following command has been added and it worked for me

shell:ABC ="Admin default-domain"

this has been repeated for all the domains... and it worked fine

regards,

Parvees

jackwikinski · ‎03-29-2011

Hi Parvees,

I also encounterd this when when configuring multiple contexts via ACS.

The solution is to use an asterik in the syntax after the context.

Without it you will receive network admin permissions as you have described below.

For example:

shell:Admin*Admin default-domain
shell:Web*Admin default-domain
shell:Parties*Admin default-domain

Hope this solves your problem.

Jack.