OK. Thanks four your answer

rodrigo.hernandez · ‎05-29-2014

Dear Mister

I have the next trouble. I have a ACE software with version A5(1.2) Before we use the version A3.1. Well, after the change (everything is with the same configuration), when I tried to configure the context and equipment, is impossible. I do ..

switch/cert# conf t
^
% invalid command detected at '^' marker.

But the user is authenticated. I do a show role, and I get this:

switch/cert# show role

Role: Network-Monitor (System-defined)
Description: Monitoring for all features
Number of rules: 4
---------------------------------------------
Rule    Type    Permission      Feature
---------------------------------------------
   1.   Permit   Monitor                 all
   3.     Deny    Create       exec-commands
   4.     Deny    Create     fault-tolerance
   5.     Deny    Create                 pki

The running configuration about tacacs is the next (with the another version functioned):

tacacs-server host 10.20.2.80 key 7 "wjzyhlpx"
tacacs-server host 10.20.16.138 key 7 "wjzyhlpx"
aaa group server tacacs+ TACACS
server 10.20.2.80
server 10.20.16.138

aaa authentication login default group TACACS local

I accept any suggestion.

Best Regards

Kanwaljeet Singh · ‎05-29-2014

Hi Rodrigo,

I see in "show role" that you have only "network-monitor" role. Please login with user who has appropriate privileges like admin and you should not face this problem. For instance, a user with privileges would look like this:

switch/Admin# sh role

Role: Admin (System-defined)
Description: Administrator
Number of rules: 5
---------------------------------------------
Rule    Type    Permission      Feature
---------------------------------------------
   1.   Permit    Create                 all
   2.   Permit    Create         user access
   3.   Permit    Create              system
   4.   Permit    Create            changeto
   5.   Permit    Create       exec-commands

You have different options which you can select and use but the one you are using has only "Monitor" option.

I didn't get your question regarding TACACS. Could you please clarify on that.

Hope this helps!

Regards,

Kanwal

rodrigo.hernandez · ‎05-29-2014

OK. Thanks four your answer.

But, in this case the tacacs is not ACS Cisco. Is another TACACS.

The question is ... how I can change the role from "network-monitor" toward "Admin"??? Because the user database is external (using tacacs not Cisco).

What must to get the ACE, also to the username??

O , how can I change the role default in ace??

Regards

Kanwaljeet Singh · ‎05-29-2014

Hi Rodrigo,

The role seems to be system defined. You should have a user role with which you should be able to login and make changes. With network monitor role, you cannot do anything. I am not sure if you can change it on your TACACS.

Regards,

Kanwal

rodrigo.hernandez · ‎06-05-2014

Thank Mister

The most strange thing, is than we have another context (in the same module, with the same configuration tacacs and aaa) and the user connection function.

Best Regards

ravi281278 · ‎05-29-2014

Hi, Since the users are created on tacacs server, you need to check tacacs server for ace users roles for each context.

Regards

Bilal Nawaz · ‎06-04-2014

Hello, maybe... TACACS server must be able to send and receive attributes in messages with a value. For example lets say I have the Admin context, following server config would apply in the shell profile:

Attribute) shell:Admin

Value) Admin default-domain

Same with ACS too.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Problem ACE with tacacs