Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4648
Views
0
Helpful
3
Replies

WAAS CM Web GUI tacacs authentication

jennifer.doerhoff
Level 1
Level 1

‎06-06-2011 08:30 AM

I have WAAS set up with tacacs authentication for ssh to the CLI. Whenever I log into the CM web gui with my tacacs ID I can login, but I do not have any roles/privileges assigned to it. I have created a group within the web gui that matches the tacacs group name and have assigned roles/privileges to that group but my tacacs ID through the web gui is still not getting any roles/privileges. Software version is 4.1.5c

0 Helpful
3 Replies 3

Michael Korenbaum
Level 4
Level 4

‎06-07-2011 06:53 PM

Jennifer,

Below is a procedure which may help resolve your issue.

Regards,

Mike Korenbaum

Cisco Data Center PDI Help Desk

http://www.cisco.com/go/pdihelpdesk

Configuring Auto-Assignment of User Roles for WAAS with TACACS+ Authentication

This document describes how to automatically assign roles to users existing on an external user database. The level of access is based on the role assigned to user groups existing in the WAAS central manager.

It is possible to authenticate and assign roles to users existing in an external user database such as a TACACS+ server user DB. The user does not have to be defined directly in the CM.

For this to work, a user group has to be created in the CM and the desired role needs to be assigned to that same user group.

The following figure shows a user group ‘testgroup’ with three different roles assigned, including the ‘admin’ role.

A user group with the same name needs to be created in the ACS server, along with the respective users that will need to authenticate to WAAS CM and WAAS application accelerator devices.

In the ACS server, the user needs to be associated with the specific group and a custom AV pair (Attribute Value pair) has to be added in the custom attributes field of the user setup page.

The next figure shows the user ‘rjavier’ as being associated with the ‘testgroup’ group in ACS:

The next figure shows the custom AV pair being added to the custom attributes field in the user setup page:

In the above figure, ‘waas_rbac_groups’ is a custom AV pair used to specify the associated group name for each user in the TACACS+ user database or configuration file.

For each user, use the ‘waas_rbac_groups’ custom AV pair to list the user groups they belong to. Separate each group from the next with a comma as in the following example.

Waas_rbac_groups=groupname1,groupname2,and so on…

0 Helpful

Jesper.Vestergaard
Level 1
Level 1
In response to Michael Korenbaum

‎04-16-2012 06:27 AM

Hi

Trying to find relevant docs for WAAS CM and ACS 5.2, but unsuccesfull,

Any hints ?

/ Jesper

0 Helpful

Sentillatiben Velaytham
Level 1
Level 1

‎06-20-2011 06:06 PM

Hi Jennifer

Had the same issue when I was trying to implement the same in our environment. Somehow the CM does not like to see TACACS user account in the TACACS server.

This is what we did.

1. Delete the TACACS admin account name  ( if you already have it there from the changes that you were trying to implement )

2. Put an ACL to block the CM from talking to the TACACS server. This could be done from the core router.

3. Create the user name as normal

4. Apply all the necessary settings ( groups and etc )

5. Remove the ACL and remember to change the authentication method to TACACS as the first choice.

0 Helpful
Customers Also Viewed These Support Documents