ACS authentication with multiple ACEs and Contexts

josefribeiro · ‎11-15-2010

Hi All,

I have been able to successfully setup ACS authentication to our ACE Admin contexts using the Custom Attribute below:

shell:Admin*Admin default-domain

My question is the following: he have 8 ACEs installed with an average of 4 production contexts per device. That's 30+ virtual load balancers. Do I have to enter the shell statement for each and every context or is there a wildcard I can use to cover all of them?

Thanks,

Jose Ribeiro

Marvin Rhoads · ‎11-15-2010

I am using TACACS+ servers for AAA on my mulit-context ACE-20 modules.

Here are the commands on the ACE (needed in admin context only):

tacacs-server key 7 ""
tacacs-server timeout 15
tacacs-server host 172.17.25.13 key 7 ""
tacacs-server host 172.17.25.14 key 7 ""
aaa group server tacacs+
server
server

aaa authentication login default group local
aaa authentication login console group local
aaa accounting default group local

I use the shell command you cited on the TACACS server (Cisco ACS for Windows NT, version 4):

shell:Admin*Admin default-domain

Log into admin context and then "changeto" any of the other contexts. Nothing further is required.

josefribeiro · ‎11-16-2010

Hi,

Thanks for the reply but that actually would not work for us. We need to provide different people access to different contexts, so the "changeto" solution would not work.

Also we use Ciscoworks to backup the configuration and we have plans to use it in the future to apply changes. So the ciscoworks ACS userid would need admin access to all contexts.

Thanks,

Jose Ribeiro