Solved: Cisco ACE Module 30 - Issue in getting in to config mode

nkarthikeyan · ‎11-05-2013

Hi ,

I have configured my ACE Mod 30 with Admin and some basic settings for Web filtering contexts. After putting the delta configurations for syncing...

Configuration mode is showing disabled @ standby ACE, which is correct and as expected.

But even on the active ACE, I got a log message that configuration mode is enabled for all contexts. But when i try to get in to configure terminal mode... it is not getting me in.

OS: A4.23

lb-p01/Admin# ?

Exec commands:

changeto Changeto another context

configure Enter configuration mode

dir Directory listing for files

exit Exit from the EXEC

invoke Invoke commands in other contexts from admin context

ping Send echo messages

show Show running system information

ssh SSH to another system

terminal Set terminal line parameters

traceroute Trace route to destination

xml-show Display xmlized show command result in xml

lb-p01/Admin#

lb-p01/Admin# config?

% invalid command

I am totally new to ACE module impleemntation. Request your support or help in getting this fixed.

Regards

Karthikeyan N

rajsures · ‎11-05-2013

Hi Karthikeyan,

can you execute show users command and check what is the role ? If the role is network-monitor you cannot get into config mode. If you do not explicitly assign a role to a user with the username command, this is the default role.

Please check the following link to understand more about pre-defined roles:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/quick/guide/rbac.html

Hope this helps.

Thanks,

Rajesh

View solution in original post

rajsures · ‎11-05-2013

Hi Karthikeyan,

Hope you have tried the commad "conf t" in the Admin context. When you try this command what is the error message displayed ?

Thanks,

Rajesh.

nkarthikeyan · ‎11-05-2013

Hi Rajesh,

On to the active module it says

lb-p01/Admin# conf t

^

% invalid command detected at '^' marker.

lb-p01/Admin# configure terminal

^

% invalid command detected at '^' marker.

lb-p01/Admin# ?

Exec commands:

changeto Changeto another context

configure Enter configuration mode

dir Directory listing for files

exit Exit from the EXEC

invoke Invoke commands in other contexts from admin context

ping Send echo messages

show Show running system information

ssh SSH to another system

terminal Set terminal line parameters

traceroute Trace route to destination

xml-show Display xmlized show command result in xml

lb-p01/Admin#

But the on the standby unit. am getting the expected response that configuration option is disabled when i prompt for conf t.

Ideally it should take me on to conf t mode, when i put conf t on active ace module right???

Regards

Karthikeyan.N

rajsures · ‎11-05-2013

Hi Karthikeyan,

can you execute show users command and check what is the role ? If the role is network-monitor you cannot get into config mode. If you do not explicitly assign a role to a user with the username command, this is the default role.

Please check the following link to understand more about pre-defined roles:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/quick/guide/rbac.html

Hope this helps.

Thanks,

Rajesh

nkarthikeyan · ‎11-05-2013

Hi Rajesh,

I have tried removing the tacacs server configs just before you replied me. But yes, you are correct. It doesn't allow me as a admin user when i come via tacacs. Let me go through the document and update you further if i need more support from you on this issue.

Regards

Karthikeyan

nkarthikeyan · ‎11-05-2013

Hi Rajesh,

Could you please help me in defining the tacacs based authentication for ACE modules with admin previlege. How to do that. The document which you have shared is creating that on the local database of ACE.

Regards

Karthikeyan

rajsures · ‎11-05-2013

Hi Karthikeyan,

Here's an example of tacacs configuration on ACE:

tacacs-server host 1.1.1.1 key XXXXXXXX

tacacs-server host 2.2.2.2 key XXXXXXXX

tacacs-server timeout 10

aaa group server tacacs+ MYTACACS

server 1.1.1.1

server 2.2.2.2

aaa authentication login default group MYTACACS local

aaa authentication login console group MYTACACS local

aaa accounting default group MYTACACS

Hope this helps.

Thanks,

Rajesh.

nkarthikeyan · ‎11-05-2013

Hi Rajesh,

I have the similar configuration only on my ACE LB. But when i login with my tacacs, i get only Network-Monitor level access. Is that anything needs to be done on TACACS server... I believe in tacacs, its is default been set as level 15 for my id. Please advice me on the same.

tacacs-server key abcd1234wxyz

tacacs-server timeout 6

tacacs-server host 10.9.16.191

tacacs-server host 10.9.15.251

aaa group server tacacs+ TacServers

server 10.9.16.191

server 10.9.15.251

!

context Admin

description ACE Administrative Context

aaa authentication login default group TacServers local

aaa authentication login console group TacServers local

aaa accounting default group TacServers local

aaa authentication login error-enable

!

rajsures · ‎11-05-2013

Hi Karthilkeyan,

I found this existing thread which explains what needs to be done on the TACACS server if its an ACS:

https://supportforums.cisco.com/thread/2041390

Hope this helps.

Thanks,

Rajesh.